evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

diag: Add protection while accessing usb_info's buffer table

Browse source 
Currently there a possibility of NULL pointer dereference while
accessing usb_info's buffer table due to missing proper protection.
The patch adds protection for the same.

Change-Id: I974a70a48e7ac47b42bc237aac4db1b9e47be6be
Signed-off-by: Hardik Arya <harya@codeaurora.org>
This commit is contained in:
Hardik Arya 2018-03-29 13:58:19 +05:30 committed by Gerrit - the friendly Code Review server
parent 0bc8b59292
commit 6f1987e5d8
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
drivers/char/diag/diag_usb.c
View file

@ -308,23 +308,25 @@ static void diag_usb_write_done(struct diag_usb_info *ch,
if (!ch || !req)
return;
spin_lock_irqsave(&ch->write_lock, flags);
ch->write_cnt++;
entry = diag_usb_buf_tbl_get(ch, req->context);
if (!entry) {
pr_err_ratelimited("diag: In %s, unable to find entry %pK in the table\n",
__func__, req->context);
spin_unlock_irqrestore(&ch->write_lock, flags);
return;
}
if (atomic_read(&entry->ref_count) != 0) {
DIAG_LOG(DIAG_DEBUG_MUX, "partial write_done ref %d\n",
atomic_read(&entry->ref_count));
diag_ws_on_copy_complete(DIAG_WS_MUX);
spin_unlock_irqrestore(&ch->write_lock, flags);
diagmem_free(driver, req, ch->mempool);
return;
}
DIAG_LOG(DIAG_DEBUG_MUX, "full write_done, ctxt: %d\n",
ctxt);
spin_lock_irqsave(&ch->write_lock, flags);
list_del(&entry->track);
ctxt = entry->ctxt;
buf = entry->buf;