From 040963c813d03a64441f7c23296e90461955f15f Mon Sep 17 00:00:00 2001 From: Mohammed Javid Date: Thu, 5 Oct 2017 23:39:39 +0530 Subject: msm: ipa: Fix to validate routing table index for filter exception Fix to validate routing table index for filter action IPA_PASS_TO_EXCEPTION case to avoid ipa assert during commit filter rule. Change-Id: I957f7ffc415ea1a042f6b3a948e94410d41b2262 Acked-by: Ashok Vuyyuru Signed-off-by: Mohammed Javid --- drivers/platform/msm/ipa/ipa_v2/ipa_flt.c | 10 ++++++++++ drivers/platform/msm/ipa/ipa_v3/ipa_flt.c | 25 ++++++++++++++++++++----- 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_flt.c b/drivers/platform/msm/ipa/ipa_v2/ipa_flt.c index c0af295c7362..834f028d3e48 100644 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_flt.c +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_flt.c @@ -1039,6 +1039,11 @@ static int __ipa_add_flt_rule(struct ipa_flt_tbl *tbl, enum ipa_ip_type ip, goto error; } } + } else { + if (rule->rt_tbl_idx > 0) { + IPAERR_RL("invalid RT tbl\n"); + goto error; + } } entry = kmem_cache_zalloc(ipa_ctx->flt_rule_cache, GFP_KERNEL); @@ -1160,6 +1165,11 @@ static int __ipa_mdfy_flt_rule(struct ipa_flt_rule_mdfy *frule, goto error; } } + } else { + if (frule->rule.rt_tbl_idx > 0) { + IPAERR_RL("invalid RT tbl\n"); + goto error; + } } entry->rule = frule->rule; diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_flt.c b/drivers/platform/msm/ipa/ipa_v3/ipa_flt.c index a03d8978c6c2..ced8c8b2d3ab 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_flt.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_flt.c @@ -757,10 +757,16 @@ static int __ipa_validate_flt_rule(const struct ipa_flt_rule *rule, goto error; } } + } else { + if (rule->rt_tbl_idx > 0) { + IPAERR("invalid RT tbl\n"); + goto error; + } } if (rule->rule_id) { - if (!(rule->rule_id & ipahal_get_rule_id_hi_bit())) { + if ((rule->rule_id < ipahal_get_rule_id_hi_bit()) || + (rule->rule_id >= ((ipahal_get_rule_id_hi_bit()<<1)-1))) { IPAERR("invalid rule_id provided 0x%x\n" "rule_id with bit 0x%x are auto generated\n", rule->rule_id, ipahal_get_rule_id_hi_bit()); @@ -866,7 +872,8 @@ static int __ipa_add_flt_rule(struct ipa3_flt_tbl *tbl, enum ipa_ip_type ip, ipa_insert_failed: list_del(&entry->link); /* if rule id was allocated from idr, remove it */ - if (!(entry->rule_id & ipahal_get_rule_id_hi_bit())) + if ((entry->rule_id < ipahal_get_rule_id_hi_bit()) && + (entry->rule_id >= ipahal_get_low_rule_id())) idr_remove(&entry->tbl->rule_ids, entry->rule_id); kmem_cache_free(ipa3_ctx->flt_rule_cache, entry); @@ -913,7 +920,8 @@ static int __ipa_add_flt_rule_after(struct ipa3_flt_tbl *tbl, ipa_insert_failed: list_del(&entry->link); /* if rule id was allocated from idr, remove it */ - if (!(entry->rule_id & ipahal_get_rule_id_hi_bit())) + if ((entry->rule_id < ipahal_get_rule_id_hi_bit()) && + (entry->rule_id >= ipahal_get_low_rule_id())) idr_remove(&entry->tbl->rule_ids, entry->rule_id); kmem_cache_free(ipa3_ctx->flt_rule_cache, entry); @@ -947,7 +955,8 @@ static int __ipa_del_flt_rule(u32 rule_hdl) entry->tbl->rule_cnt, entry->rule_id); entry->cookie = 0; /* if rule id was allocated from idr, remove it */ - if (!(entry->rule_id & ipahal_get_rule_id_hi_bit())) + if ((entry->rule_id < ipahal_get_rule_id_hi_bit()) && + (entry->rule_id >= ipahal_get_low_rule_id())) idr_remove(&entry->tbl->rule_ids, entry->rule_id); kmem_cache_free(ipa3_ctx->flt_rule_cache, entry); @@ -1003,6 +1012,11 @@ static int __ipa_mdfy_flt_rule(struct ipa_flt_rule_mdfy *frule, goto error; } } + } else { + if (frule->rule.rt_tbl_idx > 0) { + IPAERR_RL("invalid RT tbl\n"); + goto error; + } } entry->rule = frule->rule; @@ -1367,7 +1381,8 @@ int ipa3_reset_flt(enum ipa_ip_type ip) if (entry->rt_tbl) entry->rt_tbl->ref_cnt--; /* if rule id was allocated from idr, remove it */ - if (!(entry->rule_id & ipahal_get_rule_id_hi_bit())) + if ((entry->rule_id < ipahal_get_rule_id_hi_bit()) && + (entry->rule_id >= ipahal_get_low_rule_id())) idr_remove(&entry->tbl->rule_ids, entry->rule_id); entry->cookie = 0; -- cgit v1.2.3