drivers: shs: limit size copied to cached flows array to avoid globar var corruption

Add limit to the number of flows copied into the gold flow and slow start
flow arrays before memcpy to shared memory. Going out of bounds on the
array write corrupted the global variables for the shared memory pointers.
Fixes the following:

[  846.803490] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000081
[  846.909206] Process kworker/4:1 (pid: 80, stack limit = 0xffffff800b670000)
[  846.916377] CPU: 4 PID: 80 Comm: kworker/4:1 Tainted: G S         O      4.19.81+ #1
[  846.930899] Workqueue: rmnet_shs_wq rmnet_shs_wq_process_wq [rmnet_shs]
[  846.942612] pc : rmnet_shs_wq_mem_update_cached_sorted_ss_flows+0x9c/0xf0 [rmnet_shs]
[  846.950657] lr : rmnet_shs_wq_eval_cpus_caps_and_flows+0x74/0x218 [rmnet_shs]

Change-Id: Ifeee71e48fc61c4dd750eb061573beb88fcd2b7d
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>

1 files changed, 17 insertions, 0 deletions

diff --git a/drivers/rmnet/shs/rmnet_shs_wq_mem.c b/drivers/rmnet/shs/rmnet_shs_wq_mem.c
index bec0da5..e80d424 100644
--- a/drivers/rmnet/shs/rmnet_shs_wq_mem.c
+++ b/drivers/rmnet/shs/rmnet_shs_wq_mem.c
@@ -490,6 +490,14 @@ void rmnet_shs_wq_mem_update_cached_sorted_gold_flows(struct list_head *gold_flo
 		if (!gflow_node)
 			continue;
 
+		if (gflow_node->rx_pps == 0) {
+			continue;
+		}
+
+		if (idx >= RMNET_SHS_MAX_USRFLOWS) {
+			break;
+		}
+
 		rm_err("SHS_SGOLD: > flow 0x%x with pps %llu on cpu[%d]",
 		       gflow_node->hash, gflow_node->rx_pps,
 		       gflow_node->cpu_num);
@@ -548,6 +556,15 @@ void rmnet_shs_wq_mem_update_cached_sorted_ss_flows(struct list_head *ss_flows)
 		if (!ssflow_node)
 			continue;
 
+
+		if (ssflow_node->rx_pps == 0) {
+			continue;
+		}
+
+		if (idx >= RMNET_SHS_MAX_USRFLOWS) {
+			break;
+		}
+
 		rm_err("SHS_SLOW: > flow 0x%x with pps %llu on cpu[%d]",
 		       ssflow_node->hash, ssflow_node->rx_pps,
 		       ssflow_node->cpu_num);