From 6f1987e5d8dafc065559e37db9555e2abb525d5f Mon Sep 17 00:00:00 2001 From: Hardik Arya Date: Thu, 29 Mar 2018 13:58:19 +0530 Subject: [PATCH] diag: Add protection while accessing usb_info's buffer table Currently there a possibility of NULL pointer dereference while accessing usb_info's buffer table due to missing proper protection. The patch adds protection for the same. Change-Id: I974a70a48e7ac47b42bc237aac4db1b9e47be6be Signed-off-by: Hardik Arya --- drivers/char/diag/diag_usb.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/char/diag/diag_usb.c b/drivers/char/diag/diag_usb.c index 87d021f6a956..5ea98b531b83 100644 --- a/drivers/char/diag/diag_usb.c +++ b/drivers/char/diag/diag_usb.c @@ -308,23 +308,25 @@ static void diag_usb_write_done(struct diag_usb_info *ch, if (!ch || !req) return; + spin_lock_irqsave(&ch->write_lock, flags); ch->write_cnt++; entry = diag_usb_buf_tbl_get(ch, req->context); if (!entry) { pr_err_ratelimited("diag: In %s, unable to find entry %pK in the table\n", __func__, req->context); + spin_unlock_irqrestore(&ch->write_lock, flags); return; } if (atomic_read(&entry->ref_count) != 0) { DIAG_LOG(DIAG_DEBUG_MUX, "partial write_done ref %d\n", atomic_read(&entry->ref_count)); diag_ws_on_copy_complete(DIAG_WS_MUX); + spin_unlock_irqrestore(&ch->write_lock, flags); diagmem_free(driver, req, ch->mempool); return; } DIAG_LOG(DIAG_DEBUG_MUX, "full write_done, ctxt: %d\n", ctxt); - spin_lock_irqsave(&ch->write_lock, flags); list_del(&entry->track); ctxt = entry->ctxt; buf = entry->buf;