From 7e04ab0ab1ca049cfae8edff9944af83cf4e48d4 Mon Sep 17 00:00:00 2001
From: Mohammed Javid <mjavid@codeaurora.org>
Date: Thu, 9 Nov 2017 15:16:46 +0530
Subject: [PATCH] msm: ipa: Fix array out of bound and use after NULL check

Couple of code cleanup
 - Check for upper boundary for resource_index
   not to dependent on ipa_rm_dep_get_index function.
 - Check actual argument for NULL and return.

Change-Id: I0ab244e68d96f7841ab2a10e61f2546314166165
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
---
 drivers/platform/msm/ipa/ipa_rm_dependency_graph.c | 8 +++++---
 drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c        | 8 +++++++-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/drivers/platform/msm/ipa/ipa_rm_dependency_graph.c b/drivers/platform/msm/ipa/ipa_rm_dependency_graph.c
index 26f25ed3614f..ccbd39c7a0b2 100644
--- a/drivers/platform/msm/ipa/ipa_rm_dependency_graph.c
+++ b/drivers/platform/msm/ipa/ipa_rm_dependency_graph.c
@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
- * Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2018, 2021, The Linux Foundation. All rights reserved.
  */
 
 #include <linux/slab.h>
@@ -77,7 +77,8 @@ int ipa_rm_dep_graph_get_resource(
 		goto bail;
 	}
 	resource_index = ipa_rm_dep_get_index(resource_name);
-	if (resource_index == IPA_RM_INDEX_INVALID) {
+	if (resource_index == IPA_RM_INDEX_INVALID ||
+		resource_index >= IPA_RM_RESOURCE_MAX) {
 		result = -EINVAL;
 		goto bail;
 	}
@@ -109,7 +110,8 @@ int ipa_rm_dep_graph_add(struct ipa_rm_dep_graph *graph,
 		goto bail;
 	}
 	resource_index = ipa_rm_dep_get_index(resource->name);
-	if (resource_index == IPA_RM_INDEX_INVALID) {
+	if (resource_index == IPA_RM_INDEX_INVALID ||
+		resource_index >= IPA_RM_RESOURCE_MAX) {
 		result = -EINVAL;
 		goto bail;
 	}
diff --git a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
index 75b3850e8219..e642ed081016 100644
--- a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
@@ -2870,7 +2870,13 @@ static int rmnet_ipa_query_tethering_stats_modem(
 		IPAWANDBG("reset the pipe stats\n");
 	} else {
 		/* print tethered-client enum */
-		IPAWANDBG_LOW("Tethered-client enum(%d)\n", data->ipa_client);
+		if (data == NULL) {
+			kfree(req);
+			kfree(resp);
+			return -EINVAL;
+		}
+		IPAWANDBG_LOW("Tethered-client enum(%d)\n",
+				data->ipa_client);
 	}
 
 	rc = ipa_qmi_get_data_stats(req, resp);