Merge "msm: ipa: Fix to use after free issue"

commit: d2ae07b1955bfca9609ee820e1855dcd5476244b [log] [tgz]
author: Linux Build Service Account <lnxbuild@quicinc.com> Mon Sep 04 15:56:09 2017 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> Mon Sep 04 15:56:08 2017 -0700
tree: a93e2ad794a20b56449a2cfe2bb1f9f9eb9551a0
parent: 564556da74e1e23941b49f8d978efb7acba674c7 [diff]
parent: 025d7bb5811f4330c0836f0a96d0b1403965b58f [diff]
diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c b/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c
index 50930d3..bada5cc 100644
--- a/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c
+++ b/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c

@@ -53,7 +53,7 @@
 	int pipe_idx;
 
 	if (buf == NULL) {
-		memset(tmp, 0, IPA_RT_FLT_HW_RULE_BUF_SIZE);
+		memset(tmp, 0, (IPA_RT_FLT_HW_RULE_BUF_SIZE/4));
 		buf = (u8 *)tmp;
 	}
 
@@ -75,8 +75,15 @@
 	rule_hdr->u.hdr.pipe_dest_idx = pipe_idx;
 	rule_hdr->u.hdr.system = !ipa_ctx->hdr_tbl_lcl;
 	if (entry->hdr) {
-		rule_hdr->u.hdr.hdr_offset =
-			entry->hdr->offset_entry->offset >> 2;
+		if (entry->hdr->cookie == IPA_HDR_COOKIE) {
+			rule_hdr->u.hdr.hdr_offset =
+				entry->hdr->offset_entry->offset >> 2;
+		} else {
+			IPAERR("Entry hdr deleted by user = %d cookie = %u\n",
+				entry->hdr->user_deleted, entry->hdr->cookie);
+			WARN_ON(1);
+			rule_hdr->u.hdr.hdr_offset = 0;
+		}
 	} else {
 		rule_hdr->u.hdr.hdr_offset = 0;
 	}

diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c b/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c
index ef0158e..dd691f1 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c

@@ -73,11 +73,18 @@
 		struct ipa3_hdr_proc_ctx_entry *proc_ctx;
 
 		proc_ctx = (entry->proc_ctx) ? : entry->hdr->proc_ctx;
-		gen_params.hdr_lcl = ipa3_ctx->hdr_proc_ctx_tbl_lcl;
-		gen_params.hdr_type = IPAHAL_RT_RULE_HDR_PROC_CTX;
-		gen_params.hdr_ofst = proc_ctx->offset_entry->offset +
-			ipa3_ctx->hdr_proc_ctx_tbl.start_offset;
-	} else if (entry->hdr) {
+		if ((proc_ctx == NULL) ||
+			(proc_ctx->cookie != IPA_PROC_HDR_COOKIE)) {
+			gen_params.hdr_type = IPAHAL_RT_RULE_HDR_NONE;
+			gen_params.hdr_ofst = 0;
+		} else {
+			gen_params.hdr_lcl = ipa3_ctx->hdr_proc_ctx_tbl_lcl;
+			gen_params.hdr_type = IPAHAL_RT_RULE_HDR_PROC_CTX;
+			gen_params.hdr_ofst = proc_ctx->offset_entry->offset +
+				ipa3_ctx->hdr_proc_ctx_tbl.start_offset;
+		}
+	} else if ((entry->hdr != NULL) &&
+		(entry->hdr->cookie == IPA_HDR_COOKIE)) {
 		gen_params.hdr_lcl = ipa3_ctx->hdr_tbl_lcl;
 		gen_params.hdr_type = IPAHAL_RT_RULE_HDR_RAW;
 		gen_params.hdr_ofst = entry->hdr->offset_entry->offset;
commit	d2ae07b1955bfca9609ee820e1855dcd5476244b	[log] [tgz]
author	Linux Build Service Account <lnxbuild@quicinc.com>	Mon Sep 04 15:56:09 2017 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Mon Sep 04 15:56:08 2017 -0700
tree	a93e2ad794a20b56449a2cfe2bb1f9f9eb9551a0
parent	564556da74e1e23941b49f8d978efb7acba674c7 [diff]
parent	025d7bb5811f4330c0836f0a96d0b1403965b58f [diff]