Merge "msm: adsprpc: Fix array index underflow problem"
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index a0652b7..2d23442 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -720,12 +720,20 @@
{
struct fastrpc_apps *me = &gfa;
struct fastrpc_file *fl;
- int vmid;
+ int vmid, cid = -1, err = 0;
struct fastrpc_session_ctx *sess;
if (!map)
return;
fl = map->fl;
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
+ pr_err("adsprpc: ERROR:%s, Invalid channel id: %d, err:%d",
+ __func__, cid, err);
+ return;
+ }
if (map->flags == ADSP_MMAP_HEAP_ADDR ||
map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
spin_lock(&me->hlock);
@@ -805,15 +813,21 @@
struct fastrpc_apps *me = &gfa;
struct fastrpc_session_ctx *sess;
struct fastrpc_apps *apps = fl->apps;
- int cid = fl->cid;
- struct fastrpc_channel_ctx *chan = &apps->channel[cid];
struct fastrpc_mmap *map = NULL;
+ struct fastrpc_channel_ctx *chan = NULL;
unsigned long attrs;
dma_addr_t region_phys = 0;
void *region_vaddr = NULL;
unsigned long flags;
- int err = 0, vmid;
+ int err = 0, vmid, cid = -1;
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
+ goto bail;
+ }
+ chan = &apps->channel[cid];
if (!fastrpc_mmap_find(fl, fd, va, len, mflags, 1, ppmap))
return 0;
map = kzalloc(sizeof(*map), GFP_KERNEL);
@@ -1850,12 +1864,22 @@
{
struct smq_msg *msg = &ctx->msg;
struct fastrpc_file *fl = ctx->fl;
- struct fastrpc_channel_ctx *channel_ctx = &fl->apps->channel[fl->cid];
- int err = 0, len;
+ int err = 0, len, cid = -1;
+ struct fastrpc_channel_ctx *channel_ctx = NULL;
+
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
+ goto bail;
+ }
+ channel_ctx = &fl->apps->channel[fl->cid];
VERIFY(err, NULL != channel_ctx->chan);
- if (err)
+ if (err) {
+ err = -ECHRNG;
goto bail;
+ }
msg->pid = fl->tgid;
msg->tid = current->pid;
if (fl->sessionid)
@@ -1974,11 +1998,22 @@
{
struct smq_invoke_ctx *ctx = NULL;
struct fastrpc_ioctl_invoke *invoke = &inv->inv;
- int cid = fl->cid;
- int interrupted = 0;
- int err = 0;
+ int err = 0, cid = -1, interrupted = 0;
struct timespec invoket = {0};
- int64_t *perf_counter = getperfcounter(fl, PERF_COUNT);
+ int64_t *perf_counter = NULL;
+
+ cid = fl->cid;
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
+ goto bail;
+ }
+ VERIFY(err, fl->sctx != NULL);
+ if (err) {
+ err = -EBADR;
+ goto bail;
+ }
+ perf_counter = getperfcounter(fl, PERF_COUNT);
if (fl->profile)
getnstimeofday(&invoket);
@@ -1992,13 +2027,6 @@
}
}
- VERIFY(err, fl->sctx != NULL);
- if (err)
- goto bail;
- VERIFY(err, fl->cid >= 0 && fl->cid < NUM_CHANNELS);
- if (err)
- goto bail;
-
if (!kernel) {
VERIFY(err, 0 == context_restore_interrupted(fl, inv,
&ctx));
@@ -3408,7 +3436,7 @@
static int fastrpc_channel_open(struct fastrpc_file *fl)
{
struct fastrpc_apps *me = &gfa;
- int cid, ii, err = 0;
+ int cid = -1, ii, err = 0;
mutex_lock(&me->smd_mutex);
@@ -3416,9 +3444,11 @@
if (err)
goto bail;
cid = fl->cid;
- VERIFY(err, cid >= 0 && cid < NUM_CHANNELS);
- if (err)
+ VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
+ if (err) {
+ err = -ECHRNG;
goto bail;
+ }
if (me->channel[cid].ssrcount !=
me->channel[cid].prevssrcount) {
if (!me->channel[cid].issubsystemup) {