evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

soc: qcom: ipc_router_smd_xprt: Set pointer to NULL after free

Browse source 
in_pkt pointer is holding dangling pointer address even after calling
release_pkt() which causing use-after-free.

Set the in_pkt pointer to NULL after free.

CRs-Fixed: 2210859
Change-Id: If5e01c0109c947e52f3ff269c9b2b50ac0dc2bdf
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
This commit is contained in:
Arun Kumar Neelakantam 2018-03-22 17:41:28 +05:30
parent a56e768ca3
commit 8d26f80ebc
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
drivers/soc/qcom/ipc_router_smd_xprt.c
View file

@ -1,4 +1,4 @@
/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
/* Copyright (c) 2011-2015, 2018, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@ -294,8 +294,10 @@ static void smd_xprt_read_data(struct work_struct *work)
spin_lock_irqsave(&smd_xprtp->ss_reset_lock, flags);
if (smd_xprtp->ss_reset) {
spin_unlock_irqrestore(&smd_xprtp->ss_reset_lock, flags);
if (smd_xprtp->in_pkt)
if (smd_xprtp->in_pkt) {
release_pkt(smd_xprtp->in_pkt);
smd_xprtp->in_pkt = NULL;
}
smd_xprtp->is_partial_in_pkt = 0;
IPC_RTR_ERR("%s: %s channel reset\n",
__func__, smd_xprtp->xprt.name);
@ -348,6 +350,7 @@ static void smd_xprt_read_data(struct work_struct *work)
__func__, smd_xprtp->xprt.name);
kfree_skb(ipc_rtr_pkt);
release_pkt(smd_xprtp->in_pkt);
smd_xprtp->in_pkt = NULL;
smd_xprtp->is_partial_in_pkt = 0;
return;
}