Commit 7fa0fbc4 authored Nov 23, 2019 by Subash Abhinov Kasiviswanathan Committed by Gerrit - the friendly Code Review server Nov 22, 2019

drivers: shs: limit size copied to cached flows array to avoid globar var corruption



Add limit to the number of flows copied into the gold flow and slow start
flow arrays before memcpy to shared memory. Going out of bounds on the
array write corrupted the global variables for the shared memory pointers.
Fixes the following:

[  846.803490] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000081
[  846.909206] Process kworker/4:1 (pid: 80, stack limit = 0xffffff800b670000)
[  846.916377] CPU: 4 PID: 80 Comm: kworker/4:1 Tainted: G S         O      4.19.81+ #1
[  846.930899] Workqueue: rmnet_shs_wq rmnet_shs_wq_process_wq [rmnet_shs]
[  846.942612] pc : rmnet_shs_wq_mem_update_cached_sorted_ss_flows+0x9c/0xf0 [rmnet_shs]
[  846.950657] lr : rmnet_shs_wq_eval_cpus_caps_and_flows+0x74/0x218 [rmnet_shs]

Change-Id: Ifeee71e48fc61c4dd750eb061573beb88fcd2b7d
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>

parent 1df496e8

drivers/rmnet/shs/rmnet_shs_wq_mem.c

+17 −0

Original line number	Diff line number	Diff line
		@@ -490,6 +490,14 @@ void rmnet_shs_wq_mem_update_cached_sorted_gold_flows(struct list_head *gold_flo
		if (!gflow_node)
		continue;

		if (gflow_node->rx_pps == 0) {
		continue;
		}

		if (idx >= RMNET_SHS_MAX_USRFLOWS) {
		break;
		}

		rm_err("SHS_SGOLD: > flow 0x%x with pps %llu on cpu[%d]",
		gflow_node->hash, gflow_node->rx_pps,
		gflow_node->cpu_num);
		@@ -548,6 +556,15 @@ void rmnet_shs_wq_mem_update_cached_sorted_ss_flows(struct list_head *ss_flows)
		if (!ssflow_node)
		continue;


		if (ssflow_node->rx_pps == 0) {
		continue;
		}

		if (idx >= RMNET_SHS_MAX_USRFLOWS) {
		break;
		}

		rm_err("SHS_SLOW: > flow 0x%x with pps %llu on cpu[%d]",
		ssflow_node->hash, ssflow_node->rx_pps,
		ssflow_node->cpu_num);