Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5fbdae4b authored by Mohammed Javid's avatar Mohammed Javid
Browse files

msm: ipa: Fix to handle NULL pointer dereference 



Header entry deleted but same entry pointer using in
routing table not updated. Added checks to confirm
header entry present or not before using it to avoid
null pointer dereference.

Change-Id: Id1d844c60b2dcb0cc7cf18352b78d62fe5a89347
Acked-by: default avatarAshok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: default avatarMohammed Javid <mjavid@codeaurora.org>
parent 5027ffca

drivers/platform/msm/ipa/ipa_v3/ipa_rt.c

+63 −1
Original line number Diff line number Diff line
@@ -52,6 +52,8 @@ static int ipa_generate_rt_hw_rule(enum ipa_ip_type ip, 
	struct ipa3_rt_entry *entry, u8 *buf)

{

	struct ipahal_rt_rule_gen_params gen_params;

	struct ipa3_hdr_entry *hdr_entry;

	struct ipa3_hdr_proc_ctx_entry *hdr_proc_entry;

	int res = 0;



	memset(&gen_params, 0, sizeof(gen_params));
@@ -71,6 +73,25 @@ static int ipa_generate_rt_hw_rule(enum ipa_ip_type ip, 
		return -EPERM;

	}



	/* Adding check to confirm still

	 * header entry present in header table or not

	 */



	if (entry->hdr) {

		hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);

		if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {

			IPAERR_RL("Header entry already deleted\n");

			return -EPERM;

		}

	} else if (entry->proc_ctx) {

		hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);

		if (!hdr_proc_entry ||

			hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {

			IPAERR_RL("Proc header entry already deleted\n");

			return -EPERM;

		}

	}



	if (entry->proc_ctx || (entry->hdr && entry->hdr->is_hdr_proc_ctx)) {

		struct ipa3_hdr_proc_ctx_entry *proc_ctx;
@@ -1267,6 +1288,8 @@ int __ipa3_del_rt_rule(u32 rule_hdl) 
{

	struct ipa3_rt_entry *entry;

	int id;

	struct ipa3_hdr_entry *hdr_entry;

	struct ipa3_hdr_proc_ctx_entry *hdr_proc_entry;



	entry = ipa3_id_find(rule_hdl);
@@ -1289,6 +1312,25 @@ int __ipa3_del_rt_rule(u32 rule_hdl) 
		}

	}



	/* Adding check to confirm still

	 * header entry present in header table or not

	 */



	if (entry->hdr) {

		hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);

		if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {

			IPAERR_RL("Header entry already deleted\n");

			return -EINVAL;

		}

	} else if (entry->proc_ctx) {

		hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);

		if (!hdr_proc_entry ||

			hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {

			IPAERR_RL("Proc header entry already deleted\n");

			return -EINVAL;

		}

	}



	if (entry->hdr)

		__ipa3_release_hdr(entry->hdr->id);

	else if (entry->proc_ctx)
@@ -1609,7 +1651,8 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy *rtrule) 
	struct ipa3_rt_entry *entry;

	struct ipa3_hdr_entry *hdr = NULL;

	struct ipa3_hdr_proc_ctx_entry *proc_ctx = NULL;



	struct ipa3_hdr_entry *hdr_entry;

	struct ipa3_hdr_proc_ctx_entry *hdr_proc_entry;

	if (rtrule->rule.hdr_hdl) {

		hdr = ipa3_id_find(rtrule->rule.hdr_hdl);

		if ((hdr == NULL) || (hdr->cookie != IPA_HDR_COOKIE)) {
@@ -1636,6 +1679,25 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy *rtrule) 
		goto error;

	}



	/* Adding check to confirm still

	 * header entry present in header table or not

	 */



	if (entry->hdr) {

		hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);

		if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {

			IPAERR_RL("Header entry already deleted\n");

			return -EPERM;

		}

	} else if (entry->proc_ctx) {

		hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);

		if (!hdr_proc_entry ||

			hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {

			IPAERR_RL("Proc header entry already deleted\n");

			return -EPERM;

		}

	}



	if (entry->hdr)

		entry->hdr->ref_cnt--;

	if (entry->proc_ctx)