From 5856773b27d4afb0ea023358a686cf8ed6bb6856 Mon Sep 17 00:00:00 2001
From: Avinash Kumar <quic_avku@quicinc.com>
Date: Thu, 6 Mar 2025 16:22:39 +0530
Subject: [PATCH] msm: ipa: Introduce additional NULL checks

Added safety null checks for entry header while
header deletion to avoid use-after-free scenario.

Change-Id: I20879ebaa5fd2173b6d4a60872de2caf22da373b
Signed-off-by: Avinash Kumar <quic_avku@quicinc.com>
---
 drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
index 1d7050999c..2f9bc0643b 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
- * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2023, 2025 Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include "ipa_i.h"
@@ -51,6 +51,13 @@ alloc:
 	list_for_each_entry(entry, &ipa3_ctx->hdr_tbl[loc].head_hdr_entry_list, link) {
 		IPADBG_LOW("hdr of len %d ofst=%d\n", entry->hdr_len,
 				entry->offset_entry->offset);
+		/* Safety check for pointer and header length to avoid dangerous overflow in HW */
+		if (unlikely(!entry->offset_entry ||
+			entry->hdr_len > ipa_hdr_bin_sz[IPA_HDR_BIN_MAX - 1])) {
+			IPAERR_RL("Invalid hdr entry\n");
+			return -EINVAL;
+		}
+
 		ipahal_cp_hdr_to_hw_buff(mem->base, entry->offset_entry->offset,
 				entry->hdr, entry->hdr_len);
 	}