evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

diag: Protect mask updates for memory device session

Browse source 
Currently, there is a possibility of using already freed
memory device session members during mask updates. The
patch fixes the issue by adding proper protection.

CRs-Fixed: 2074264
Change-Id: Iff2009a498506ffe574655badfe0a0f9f0dece9a
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
This commit is contained in:
Mohit Aggarwal 2017-07-05 15:54:28 +05:30
parent d8ff341d38
commit ccab495a2f
1 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
drivers/char/diag/diag_masks.c
View file

@ -796,7 +796,9 @@ static int diag_cmd_set_msg_mask(unsigned char *src_buf, int src_len,
for (i = 0; i < NUM_PERIPHERALS; i++) {
if (!diag_check_update(i))
continue;
mutex_lock(&driver->md_session_lock);
diag_send_msg_mask_update(i, req->ssid_first, req->ssid_last);
mutex_unlock(&driver->md_session_lock);
}
end:
return write_len;
@ -856,7 +858,9 @@ static int diag_cmd_set_all_msg_mask(unsigned char *src_buf, int src_len,
for (i = 0; i < NUM_PERIPHERALS; i++) {
if (!diag_check_update(i))
continue;
mutex_lock(&driver->md_session_lock);
diag_send_msg_mask_update(i, ALL_SSID, ALL_SSID);
mutex_unlock(&driver->md_session_lock);
}
return write_len;
@ -950,7 +954,9 @@ static int diag_cmd_update_event_mask(unsigned char *src_buf, int src_len,
for (i = 0; i < NUM_PERIPHERALS; i++) {
if (!diag_check_update(i))
continue;
mutex_lock(&driver->md_session_lock);
diag_send_event_mask_update(i);
mutex_unlock(&driver->md_session_lock);
}
return write_len;
@ -997,7 +1003,9 @@ static int diag_cmd_toggle_events(unsigned char *src_buf, int src_len,
for (i = 0; i < NUM_PERIPHERALS; i++) {
if (!diag_check_update(i))
continue;
mutex_lock(&driver->md_session_lock);
diag_send_event_mask_update(i);
mutex_unlock(&driver->md_session_lock);
}
memcpy(dest_buf, &header, sizeof(header));
write_len += sizeof(header);
@ -1251,7 +1259,9 @@ static int diag_cmd_set_log_mask(unsigned char *src_buf, int src_len,
for (i = 0; i < NUM_PERIPHERALS; i++) {
if (!diag_check_update(i))
continue;
mutex_lock(&driver->md_session_lock);
diag_send_log_mask_update(i, req->equip_id);
mutex_unlock(&driver->md_session_lock);
}
end:
return write_len;
@ -1302,7 +1312,9 @@ static int diag_cmd_disable_log_mask(unsigned char *src_buf, int src_len,
for (i = 0; i < NUM_PERIPHERALS; i++) {
if (!diag_check_update(i))
continue;
mutex_lock(&driver->md_session_lock);
diag_send_log_mask_update(i, ALL_EQUIP_ID);
mutex_unlock(&driver->md_session_lock);
}
return write_len;
@ -1966,9 +1978,11 @@ void diag_send_updates_peripheral(uint8_t peripheral)
diag_send_feature_mask_update(peripheral);
if (driver->time_sync_enabled)
diag_send_time_sync_update(peripheral);
mutex_lock(&driver->md_session_lock);
diag_send_msg_mask_update(peripheral, ALL_SSID, ALL_SSID);
diag_send_log_mask_update(peripheral, ALL_EQUIP_ID);
diag_send_event_mask_update(peripheral);
mutex_unlock(&driver->md_session_lock);
diag_send_real_time_update(peripheral,
driver->real_time_mode[DIAG_LOCAL_PROC]);
diag_send_peripheral_buffering_mode(