commit 93e94ceae64c0f2c2ef5b82fb76da88e7bcbb155
author Mohammed Javid <mjavid@codeaurora.org> Thu Jun 15 15:39:04 2017 +0530
committer Mohammed Javid <mjavid@codeaurora.org> Wed Jul 19 14:31:26 2017 +0530
tree 6b203c97a6e8b544457694aeeb5eb9a2f98e65d2
parent 4d9a308b714be99800f75f003e64f1d375a00615

msm:ipa: Fix to incorrect structure access

Accessing of incorrect structure pointer is causing
memory out of bound access, fixed issue by accessing
the correct structure pointer.

Change-Id: I3c2f5f7a97cac854093ef670184d06db4231f5e1
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c

diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
index 14d776e..0c1832c 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
@@ -336,7 +336,7 @@
 		IPAERR("hdr_hdl is invalid\n");
 		return -EINVAL;
 	}
-	if (hdr_entry->cookie != IPA_COOKIE) {
+	if (hdr_entry->cookie != IPA_HDR_COOKIE) {
 		IPAERR("Invalid header cookie %u\n", hdr_entry->cookie);
 		WARN_ON(1);
 		return -EINVAL;
@@ -357,7 +357,7 @@
 	entry->l2tp_params = proc_ctx->l2tp_params;
 	if (add_ref_hdr)
 		hdr_entry->ref_cnt++;
-	entry->cookie = IPA_COOKIE;
+	entry->cookie = IPA_PROC_HDR_COOKIE;
 
 	needed_len = ipahal_get_proc_ctx_needed_len(proc_ctx->type);
 
@@ -415,6 +415,7 @@
 	if (id < 0) {
 		IPAERR("failed to alloc id\n");
 		WARN_ON(1);
+		goto ipa_insert_failed;
 	}
 	entry->id = id;
 	proc_ctx->proc_ctx_hdl = id;
@@ -422,6 +423,14 @@
 
 	return 0;
 
+ipa_insert_failed:
+	if (offset)
+		list_move(&offset->link,
+		&htbl->head_free_offset_list[offset->bin]);
+	entry->offset_entry = NULL;
+	list_del(&entry->link);
+	htbl->proc_ctx_cnt--;
+
 bad_len:
 	if (add_ref_hdr)
 		hdr_entry->ref_cnt--;
@@ -434,7 +443,7 @@
 static int __ipa_add_hdr(struct ipa_hdr_add *hdr)
 {
 	struct ipa3_hdr_entry *entry;
-	struct ipa_hdr_offset_entry *offset;
+	struct ipa_hdr_offset_entry *offset = NULL;
 	u32 bin;
 	struct ipa3_hdr_tbl *htbl = &ipa3_ctx->hdr_tbl;
 	int id;
@@ -465,7 +474,7 @@
 	entry->type = hdr->type;
 	entry->is_eth2_ofst_valid = hdr->is_eth2_ofst_valid;
 	entry->eth2_ofst = hdr->eth2_ofst;
-	entry->cookie = IPA_COOKIE;
+	entry->cookie = IPA_HDR_COOKIE;
 
 	if (hdr->hdr_len <= ipa_hdr_bin_sz[IPA_HDR_BIN0])
 		bin = IPA_HDR_BIN0;
@@ -544,6 +553,7 @@
 	if (id < 0) {
 		IPAERR("failed to alloc id\n");
 		WARN_ON(1);
+		goto ipa_insert_failed;
 	}
 	entry->id = id;
 	hdr->hdr_hdl = id;
@@ -568,10 +578,19 @@
 	entry->ref_cnt--;
 	hdr->hdr_hdl = 0;
 	ipa3_id_remove(id);
+ipa_insert_failed:
+	if (entry->is_hdr_proc_ctx) {
+		dma_unmap_single(ipa3_ctx->pdev, entry->phys_base,
+			entry->hdr_len, DMA_TO_DEVICE);
+	} else {
+		if (offset)
+			list_move(&offset->link,
+			&htbl->head_free_offset_list[offset->bin]);
+		entry->offset_entry = NULL;
+	}
 	htbl->hdr_cnt--;
 	list_del(&entry->link);
-	dma_unmap_single(ipa3_ctx->pdev, entry->phys_base,
-			entry->hdr_len, DMA_TO_DEVICE);
+
 fail_dma_mapping:
 	entry->is_hdr_proc_ctx = false;
 
@@ -589,7 +608,7 @@
 	struct ipa3_hdr_proc_ctx_tbl *htbl = &ipa3_ctx->hdr_proc_ctx_tbl;
 
 	entry = ipa3_id_find(proc_ctx_hdl);
-	if (!entry || (entry->cookie != IPA_COOKIE)) {
+	if (!entry || (entry->cookie != IPA_PROC_HDR_COOKIE)) {
 		IPAERR("bad parm\n");
 		return -EINVAL;
 	}
@@ -640,7 +659,7 @@
 		return -EINVAL;
 	}
 
-	if (entry->cookie != IPA_COOKIE) {
+	if (entry->cookie != IPA_HDR_COOKIE) {
 		IPAERR("bad parm\n");
 		return -EINVAL;
 	}
@@ -1186,7 +1205,7 @@
 		goto bail;
 	}
 
-	if (entry->cookie != IPA_COOKIE) {
+	if (entry->cookie != IPA_HDR_COOKIE) {
 		IPAERR("invalid header entry\n");
 		result = -EINVAL;
 		goto bail;