msm: ipa: Prevent multiple header deletion from user space
An IPA header or processing context can be added once
and later deleted once from user space.
Multiple deletion may cause invalid state of the headers
software cache.
Change-Id: Ic0b8472b7fd8a76233a007d90c832af726184574
CRs-fixed: 1097714
Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
index 6274579..69db99a 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -576,7 +576,8 @@
return -EPERM;
}
-static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl,
+ bool release_hdr, bool by_user)
{
struct ipa3_hdr_proc_ctx_entry *entry;
struct ipa3_hdr_proc_ctx_tbl *htbl = &ipa3_ctx->hdr_proc_ctx_tbl;
@@ -590,6 +591,14 @@
IPADBG("del proc ctx cnt=%d ofst=%d\n",
htbl->proc_ctx_cnt, entry->offset_entry->offset);
+ if (by_user && entry->user_deleted) {
+ IPAERR("proc_ctx already deleted by user\n");
+ return -EINVAL;
+ }
+
+ if (by_user)
+ entry->user_deleted = true;
+
if (--entry->ref_cnt) {
IPADBG("proc_ctx_hdl %x ref_cnt %d\n",
proc_ctx_hdl, entry->ref_cnt);
@@ -597,7 +606,7 @@
}
if (release_hdr)
- __ipa3_del_hdr(entry->hdr->id);
+ __ipa3_del_hdr(entry->hdr->id, false);
/* move the offset entry to appropriate free list */
list_move(&entry->offset_entry->link,
@@ -614,7 +623,7 @@
}
-int __ipa3_del_hdr(u32 hdr_hdl)
+int __ipa3_del_hdr(u32 hdr_hdl, bool by_user)
{
struct ipa3_hdr_entry *entry;
struct ipa3_hdr_tbl *htbl = &ipa3_ctx->hdr_tbl;
@@ -625,7 +634,7 @@
return -EINVAL;
}
- if (!entry || (entry->cookie != IPA_COOKIE)) {
+ if (entry->cookie != IPA_COOKIE) {
IPAERR("bad parm\n");
return -EINVAL;
}
@@ -638,6 +647,14 @@
entry->hdr_len, htbl->hdr_cnt,
entry->offset_entry->offset);
+ if (by_user && entry->user_deleted) {
+ IPAERR("proc_ctx already deleted by user\n");
+ return -EINVAL;
+ }
+
+ if (by_user)
+ entry->user_deleted = true;
+
if (--entry->ref_cnt) {
IPADBG("hdr_hdl %x ref_cnt %d\n", hdr_hdl, entry->ref_cnt);
return 0;
@@ -648,7 +665,7 @@
entry->phys_base,
entry->hdr_len,
DMA_TO_DEVICE);
- __ipa3_del_hdr_proc_ctx(entry->proc_ctx->id, false);
+ __ipa3_del_hdr_proc_ctx(entry->proc_ctx->id, false, false);
} else {
/* move the offset entry to appropriate free list */
list_move(&entry->offset_entry->link,
@@ -710,15 +727,16 @@
}
/**
- * ipa3_del_hdr() - Remove the specified headers from SW and optionally commit
- * them to IPA HW
+ * ipa3_del_hdr_by_user() - Remove the specified headers
+ * from SW and optionally commit them to IPA HW
* @hdls: [inout] set of headers to delete
+ * @by_user: Operation requested by user?
*
* Returns: 0 on success, negative on failure
*
* Note: Should not be called from atomic context
*/
-int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
+int ipa3_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user)
{
int i;
int result = -EFAULT;
@@ -730,7 +748,7 @@
mutex_lock(&ipa3_ctx->lock);
for (i = 0; i < hdls->num_hdls; i++) {
- if (__ipa3_del_hdr(hdls->hdl[i].hdl)) {
+ if (__ipa3_del_hdr(hdls->hdl[i].hdl, by_user)) {
IPAERR("failed to del hdr %i\n", i);
hdls->hdl[i].status = -1;
} else {
@@ -751,6 +769,20 @@
}
/**
+ * ipa3_del_hdr() - Remove the specified headers from SW
+ * and optionally commit them to IPA HW
+ * @hdls: [inout] set of headers to delete
+ *
+ * Returns: 0 on success, negative on failure
+ *
+ * Note: Should not be called from atomic context
+ */
+int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
+{
+ return ipa3_del_hdr_by_user(hdls, false);
+}
+
+/**
* ipa3_add_hdr_proc_ctx() - add the specified headers to SW
* and optionally commit them to IPA HW
* @proc_ctxs: [inout] set of processing context headers to add
@@ -795,16 +827,18 @@
}
/**
- * ipa3_del_hdr_proc_ctx() -
+ * ipa3_del_hdr_proc_ctx_by_user() -
* Remove the specified processing context headers from SW and
* optionally commit them to IPA HW.
* @hdls: [inout] set of processing context headers to delete
+ * @by_user: Operation requested by user?
*
* Returns: 0 on success, negative on failure
*
* Note: Should not be called from atomic context
*/
-int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
+int ipa3_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
+ bool by_user)
{
int i;
int result;
@@ -816,7 +850,7 @@
mutex_lock(&ipa3_ctx->lock);
for (i = 0; i < hdls->num_hdls; i++) {
- if (__ipa3_del_hdr_proc_ctx(hdls->hdl[i].hdl, true)) {
+ if (__ipa3_del_hdr_proc_ctx(hdls->hdl[i].hdl, true, by_user)) {
IPAERR("failed to del hdr %i\n", i);
hdls->hdl[i].status = -1;
} else {
@@ -837,6 +871,21 @@
}
/**
+ * ipa3_del_hdr_proc_ctx() -
+ * Remove the specified processing context headers from SW and
+ * optionally commit them to IPA HW.
+ * @hdls: [inout] set of processing context headers to delete
+ *
+ * Returns: 0 on success, negative on failure
+ *
+ * Note: Should not be called from atomic context
+ */
+int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
+{
+ return ipa3_del_hdr_proc_ctx_by_user(hdls, false);
+}
+
+/**
* ipa3_commit_hdr() - commit to IPA HW the current header table in SW
*
* Returns: 0 on success, negative on failure
@@ -1064,7 +1113,7 @@
{
int result = 0;
- if (__ipa3_del_hdr(hdr_hdl)) {
+ if (__ipa3_del_hdr(hdr_hdl, false)) {
IPADBG("fail to del hdr %x\n", hdr_hdl);
result = -EFAULT;
goto bail;
@@ -1092,7 +1141,7 @@
{
int result = 0;
- if (__ipa3_del_hdr_proc_ctx(proc_ctx_hdl, true)) {
+ if (__ipa3_del_hdr_proc_ctx(proc_ctx_hdl, true, false)) {
IPADBG("fail to del hdr %x\n", proc_ctx_hdl);
result = -EFAULT;
goto bail;