TechPanelGM/kernel_xiaomi_sm8250
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "msm: ipa3: Fix to copy num of rules from user space"

Browse Source
This commit is contained in:
qctecmdr
2021-05-18 04:21:11 -07:00
committed by Gerrit - the friendly Code Review server
parent a57b056a72 45c3e70637
commit 98966a3e5b
1 changed files with 93 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
drivers/platform/msm/ipa/ipa_v3/ipa.c
View File

@@ -708,6 +708,7 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg)
u32 pyld_sz;
u64 uptr = 0;
u8 *param = NULL;
u8 *param2 = NULL;
u8 *kptr = NULL;
if (copy_from_user(header, (const void __user *)arg,
@@ -746,11 +747,20 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg)
retval = -EFAULT;
goto free_param_kptr;
}
param2 = memdup_user((const void __user *)arg,
sizeof(struct ipa_ioc_add_rt_rule_v2));
if (IS_ERR(param2)) {
retval = -EFAULT;
goto free_param_kptr;
}
/* add check in case user-space module compromised */
if (unlikely(((struct ipa_ioc_add_rt_rule_v2 *)param)->num_rules
if (unlikely(((struct ipa_ioc_add_rt_rule_v2 *)param2)->num_rules
!= pre_entry)) {
IPAERR_RL("current %d pre %d\n",
((struct ipa_ioc_add_rt_rule_v2 *)param)->
((struct ipa_ioc_add_rt_rule_v2 *)param2)->
num_rules, pre_entry);
retval = -EFAULT;
goto free_param_kptr;
@@ -794,6 +804,8 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg)
free_param_kptr:
if (!IS_ERR(param))
kfree(param);
if (!IS_ERR(param2))
kfree(param2);
kfree(kptr);
return retval;
@@ -809,6 +821,7 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg)
u32 pyld_sz;
u64 uptr = 0;
u8 *param = NULL;
u8 *param2 = NULL;
u8 *kptr = NULL;
if (copy_from_user(header,
@@ -850,11 +863,20 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg)
retval = -EFAULT;
goto free_param_kptr;
}
param2 = memdup_user((const void __user *)arg,
sizeof(struct ipa_ioc_add_rt_rule_ext_v2));
if (IS_ERR(param2)) {
retval = -EFAULT;
goto free_param_kptr;
}
/* add check in case user-space module compromised */
if (unlikely(((struct ipa_ioc_add_rt_rule_ext_v2 *)param)->num_rules
if (unlikely(((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)->num_rules
!= pre_entry)) {
IPAERR_RL("current %d pre %d\n",
((struct ipa_ioc_add_rt_rule_ext_v2 *)param)->
((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)->
num_rules, pre_entry);
retval = -EFAULT;
goto free_param_kptr;
@@ -900,6 +922,8 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg)
free_param_kptr:
if (!IS_ERR(param))
kfree(param);
if (!IS_ERR(param2))
kfree(param2);
kfree(kptr);
return retval;
@@ -915,6 +939,7 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg)
u32 pyld_sz;
u64 uptr = 0;
u8 *param = NULL;
u8 *param2 = NULL;
u8 *kptr = NULL;
if (copy_from_user(header, (const void __user *)arg,
@@ -955,11 +980,19 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg)
retval = -EFAULT;
goto free_param_kptr;
}
param2 = memdup_user((const void __user *)arg,
sizeof(struct ipa_ioc_add_rt_rule_after_v2));
if (IS_ERR(param2)) {
retval = -EFAULT;
goto free_param_kptr;
}
/* add check in case user-space module compromised */
if (unlikely(((struct ipa_ioc_add_rt_rule_after_v2 *)param)->num_rules
if (unlikely(((struct ipa_ioc_add_rt_rule_after_v2 *)param2)->num_rules
!= pre_entry)) {
IPAERR_RL("current %d pre %d\n",
((struct ipa_ioc_add_rt_rule_after_v2 *)param)->
((struct ipa_ioc_add_rt_rule_after_v2 *)param2)->
num_rules, pre_entry);
retval = -EFAULT;
goto free_param_kptr;
@@ -1003,6 +1036,8 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg)
free_param_kptr:
if (!IS_ERR(param))
kfree(param);
if (!IS_ERR(param2))
kfree(param2);
kfree(kptr);
return retval;
@@ -1018,6 +1053,7 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg)
u32 pyld_sz;
u64 uptr = 0;
u8 *param = NULL;
u8 *param2 = NULL;
u8 *kptr = NULL;
if (copy_from_user(header, (const void __user *)arg,
@@ -1058,11 +1094,19 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg)
retval = -EFAULT;
goto free_param_kptr;
}
param2 = memdup_user((const void __user *)arg,
sizeof(struct ipa_ioc_mdfy_rt_rule_v2));
if (IS_ERR(param2)) {
retval = -EFAULT;
goto free_param_kptr;
}
/* add check in case user-space module compromised */
if (unlikely(((struct ipa_ioc_mdfy_rt_rule_v2 *)param)->num_rules
if (unlikely(((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)->num_rules
!= pre_entry)) {
IPAERR_RL("current %d pre %d\n",
((struct ipa_ioc_mdfy_rt_rule_v2 *)param)->
((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)->
num_rules, pre_entry);
retval = -EFAULT;
goto free_param_kptr;
@@ -1106,6 +1150,8 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg)
free_param_kptr:
if (!IS_ERR(param))
kfree(param);
if (!IS_ERR(param2))
kfree(param2);
kfree(kptr);
return retval;
@@ -1121,6 +1167,7 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg)
u32 pyld_sz;
u64 uptr = 0;
u8 *param = NULL;
u8 *param2 = NULL;
u8 *kptr = NULL;
if (copy_from_user(header, (const void __user *)arg,
@@ -1160,11 +1207,19 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg)
retval = -EFAULT;
goto free_param_kptr;
}
param2 = memdup_user((const void __user *)arg,
sizeof(struct ipa_ioc_add_flt_rule_v2));
if (IS_ERR(param2)) {
retval = -EFAULT;
goto free_param_kptr;
}
/* add check in case user-space module compromised */
if (unlikely(((struct ipa_ioc_add_flt_rule_v2 *)param)->num_rules
if (unlikely(((struct ipa_ioc_add_flt_rule_v2 *)param2)->num_rules
!= pre_entry)) {
IPAERR_RL("current %d pre %d\n",
((struct ipa_ioc_add_flt_rule_v2 *)param)->
((struct ipa_ioc_add_flt_rule_v2 *)param2)->
num_rules, pre_entry);
retval = -EFAULT;
goto free_param_kptr;
@@ -1207,6 +1262,8 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg)
free_param_kptr:
if (!IS_ERR(param))
kfree(param);
if (!IS_ERR(param2))
kfree(param2);
kfree(kptr);
return retval;
@@ -1222,6 +1279,7 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg)
u32 pyld_sz;
u64 uptr = 0;
u8 *param = NULL;
u8 *param2 = NULL;
u8 *kptr = NULL;
if (copy_from_user(header, (const void __user *)arg,
@@ -1262,11 +1320,19 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg)
retval = -EFAULT;
goto free_param_kptr;
}
param2 = memdup_user((const void __user *)arg,
sizeof(struct ipa_ioc_add_flt_rule_after_v2));
if (IS_ERR(param2)) {
retval = -EFAULT;
goto free_param_kptr;
}
/* add check in case user-space module compromised */
if (unlikely(((struct ipa_ioc_add_flt_rule_after_v2 *)param)->num_rules
if (unlikely(((struct ipa_ioc_add_flt_rule_after_v2 *)param2)->num_rules
!= pre_entry)) {
IPAERR_RL("current %d pre %d\n",
((struct ipa_ioc_add_flt_rule_after_v2 *)param)->
((struct ipa_ioc_add_flt_rule_after_v2 *)param2)->
num_rules, pre_entry);
retval = -EFAULT;
goto free_param_kptr;
@@ -1310,6 +1376,8 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg)
free_param_kptr:
if (!IS_ERR(param))
kfree(param);
if (!IS_ERR(param2))
kfree(param2);
kfree(kptr);
return retval;
@@ -1325,6 +1393,7 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg)
u32 pyld_sz;
u64 uptr = 0;
u8 *param = NULL;
u8 *param2 = NULL;
u8 *kptr = NULL;
if (copy_from_user(header, (const void __user *)arg,
@@ -1365,11 +1434,19 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg)
retval = -EFAULT;
goto free_param_kptr;
}
param2 = memdup_user((const void __user *)arg,
sizeof(struct ipa_ioc_mdfy_flt_rule_v2));
if (IS_ERR(param2)) {
retval = -EFAULT;
goto free_param_kptr;
}
/* add check in case user-space module compromised */
if (unlikely(((struct ipa_ioc_mdfy_flt_rule_v2 *)param)->num_rules
if (unlikely(((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)->num_rules
!= pre_entry)) {
IPAERR_RL("current %d pre %d\n",
((struct ipa_ioc_mdfy_flt_rule_v2 *)param)->
((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)->
num_rules, pre_entry);
retval = -EFAULT;
goto free_param_kptr;
@@ -1413,6 +1490,8 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg)
free_param_kptr:
if (!IS_ERR(param))
kfree(param);
if (!IS_ERR(param2))
kfree(param2);
kfree(kptr);
return retval;