Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 49077295 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: ipa: Fix to handle NULL pointer dereference" into msm-4.14

parents cdf00f6c 5fbdae4b

drivers/platform/msm/ipa/ipa_v3/ipa_rt.c

+63 −1
Original line number Diff line number Diff line
@@ -52,6 +52,8 @@ static int ipa_generate_rt_hw_rule(enum ipa_ip_type ip, 
	struct ipa3_rt_entry *entry, u8 *buf)

{

	struct ipahal_rt_rule_gen_params gen_params;

	struct ipa3_hdr_entry *hdr_entry;

	struct ipa3_hdr_proc_ctx_entry *hdr_proc_entry;

	int res = 0;



	memset(&gen_params, 0, sizeof(gen_params));
@@ -71,6 +73,25 @@ static int ipa_generate_rt_hw_rule(enum ipa_ip_type ip, 
		return -EPERM;

	}



	/* Adding check to confirm still

	 * header entry present in header table or not

	 */



	if (entry->hdr) {

		hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);

		if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {

			IPAERR_RL("Header entry already deleted\n");

			return -EPERM;

		}

	} else if (entry->proc_ctx) {

		hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);

		if (!hdr_proc_entry ||

			hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {

			IPAERR_RL("Proc header entry already deleted\n");

			return -EPERM;

		}

	}



	if (entry->proc_ctx || (entry->hdr && entry->hdr->is_hdr_proc_ctx)) {

		struct ipa3_hdr_proc_ctx_entry *proc_ctx;
@@ -1267,6 +1288,8 @@ int __ipa3_del_rt_rule(u32 rule_hdl) 
{

	struct ipa3_rt_entry *entry;

	int id;

	struct ipa3_hdr_entry *hdr_entry;

	struct ipa3_hdr_proc_ctx_entry *hdr_proc_entry;



	entry = ipa3_id_find(rule_hdl);
@@ -1289,6 +1312,25 @@ int __ipa3_del_rt_rule(u32 rule_hdl) 
		}

	}



	/* Adding check to confirm still

	 * header entry present in header table or not

	 */



	if (entry->hdr) {

		hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);

		if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {

			IPAERR_RL("Header entry already deleted\n");

			return -EINVAL;

		}

	} else if (entry->proc_ctx) {

		hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);

		if (!hdr_proc_entry ||

			hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {

			IPAERR_RL("Proc header entry already deleted\n");

			return -EINVAL;

		}

	}



	if (entry->hdr)

		__ipa3_release_hdr(entry->hdr->id);

	else if (entry->proc_ctx)
@@ -1609,7 +1651,8 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy *rtrule) 
	struct ipa3_rt_entry *entry;

	struct ipa3_hdr_entry *hdr = NULL;

	struct ipa3_hdr_proc_ctx_entry *proc_ctx = NULL;



	struct ipa3_hdr_entry *hdr_entry;

	struct ipa3_hdr_proc_ctx_entry *hdr_proc_entry;

	if (rtrule->rule.hdr_hdl) {

		hdr = ipa3_id_find(rtrule->rule.hdr_hdl);

		if ((hdr == NULL) || (hdr->cookie != IPA_HDR_COOKIE)) {
@@ -1636,6 +1679,25 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy *rtrule) 
		goto error;

	}



	/* Adding check to confirm still

	 * header entry present in header table or not

	 */



	if (entry->hdr) {

		hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);

		if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {

			IPAERR_RL("Header entry already deleted\n");

			return -EPERM;

		}

	} else if (entry->proc_ctx) {

		hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);

		if (!hdr_proc_entry ||

			hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {

			IPAERR_RL("Proc header entry already deleted\n");

			return -EPERM;

		}

	}



	if (entry->hdr)

		entry->hdr->ref_cnt--;

	if (entry->proc_ctx)