msm: Fix out of bounds memory access and null pointer checks
CRs-fixed: 313386
Change-Id: I2d3f4c7f0e9ba15aa6ba52530a8c2ccb3d0f7b5d
Signed-off-by: Praveen Chidambaram <pchidamb@codeaurora.org>
diff --git a/arch/arm/mach-msm/mpm.c b/arch/arm/mach-msm/mpm.c
index 040e126..70ee39b 100644
--- a/arch/arm/mach-msm/mpm.c
+++ b/arch/arm/mach-msm/mpm.c
@@ -260,6 +260,9 @@
uint32_t index = MSM_MPM_IRQ_INDEX(mpm_irq);
uint32_t mask = MSM_MPM_IRQ_MASK(mpm_irq);
+ if (index >= MSM_MPM_REG_WIDTH)
+ return -EFAULT;
+
if (flow_type & IRQ_TYPE_EDGE_BOTH)
msm_mpm_detect_ctl[index] |= mask;
else
diff --git a/arch/arm/mach-msm/msm_rq_stats.c b/arch/arm/mach-msm/msm_rq_stats.c
index 425000d..9daaaba 100644
--- a/arch/arm/mach-msm/msm_rq_stats.c
+++ b/arch/arm/mach-msm/msm_rq_stats.c
@@ -160,20 +160,20 @@
for (i = 0; i < attr_count - 1 ; i++) {
if (!attribs[i])
- goto rel;
+ goto rel2;
}
rq_info.attr_group = kzalloc(sizeof(struct attribute_group),
GFP_KERNEL);
if (!rq_info.attr_group)
- goto rel;
+ goto rel3;
rq_info.attr_group->attrs = attribs;
/* Create /sys/devices/system/cpu/cpu0/rq-stats/... */
rq_info.kobj = kobject_create_and_add("rq-stats",
&get_cpu_sysdev(0)->kobj);
if (!rq_info.kobj)
- goto rel;
+ goto rel3;
err = sysfs_create_group(rq_info.kobj, rq_info.attr_group);
if (err)
@@ -184,12 +184,14 @@
if (!err)
return err;
-rel:
- for (i = 0; i < attr_count - 1 ; i++)
- kfree(attribs[i]);
- kfree(attribs);
+rel3:
kfree(rq_info.attr_group);
kfree(rq_info.kobj);
+rel2:
+ for (i = 0; i < attr_count - 1; i++)
+ kfree(attribs[i]);
+rel:
+ kfree(attribs);
return -ENOMEM;
}
diff --git a/arch/arm/mach-msm/pm-8x60.c b/arch/arm/mach-msm/pm-8x60.c
index cb5fcff..8db21f9 100644
--- a/arch/arm/mach-msm/pm-8x60.c
+++ b/arch/arm/mach-msm/pm-8x60.c
@@ -384,6 +384,9 @@
else
i = CONFIG_MSM_IDLE_STATS_BUCKET_COUNT - 1;
+ if (i >= CONFIG_MSM_IDLE_STATS_BUCKET_COUNT)
+ i = CONFIG_MSM_IDLE_STATS_BUCKET_COUNT - 1;
+
stats[id].bucket[i]++;
if (t < stats[id].min_time[i] || !stats[id].max_time[i])
diff --git a/arch/arm/mach-msm/rpm.c b/arch/arm/mach-msm/rpm.c
index bee3c3d..ef2956a 100644
--- a/arch/arm/mach-msm/rpm.c
+++ b/arch/arm/mach-msm/rpm.c
@@ -264,7 +264,7 @@
DECLARE_COMPLETION_ONSTACK(ack);
unsigned long flags;
uint32_t ctx_mask = msm_rpm_get_ctx_mask(ctx);
- uint32_t ctx_mask_ack;
+ uint32_t ctx_mask_ack = 0;
uint32_t sel_masks_ack[MSM_RPM_SEL_MASK_SIZE];
int i;
@@ -320,8 +320,9 @@
unsigned int irq = msm_rpm_platform->irq_ack;
unsigned long flags;
uint32_t ctx_mask = msm_rpm_get_ctx_mask(ctx);
- uint32_t ctx_mask_ack;
+ uint32_t ctx_mask_ack = 0;
uint32_t sel_masks_ack[MSM_RPM_SEL_MASK_SIZE];
+ struct irq_chip *irq_chip = NULL;
int i;
msm_rpm_request_poll_mode.req = req;
@@ -331,7 +332,12 @@
msm_rpm_request_poll_mode.done = NULL;
spin_lock_irqsave(&msm_rpm_irq_lock, flags);
- irq_get_chip(irq)->irq_mask(irq_get_irq_data(irq));
+ irq_chip = irq_get_chip(irq);
+ if (!irq_chip) {
+ spin_unlock_irqrestore(&msm_rpm_irq_lock, flags);
+ return -ENOSPC;
+ }
+ irq_chip->irq_mask(irq_get_irq_data(irq));
if (msm_rpm_request) {
msm_rpm_busy_wait_for_request_completion(true);
@@ -356,7 +362,7 @@
msm_rpm_busy_wait_for_request_completion(false);
BUG_ON(msm_rpm_request);
- irq_get_chip(irq)->irq_unmask(irq_get_irq_data(irq));
+ irq_chip->irq_unmask(irq_get_irq_data(irq));
spin_unlock_irqrestore(&msm_rpm_irq_lock, flags);
BUG_ON((ctx_mask_ack & ~(msm_rpm_get_ctx_mask(MSM_RPM_CTX_REJECTED)))