evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: ipa: Fix memory leak in ipa driver

Browse source 
Free the memory pointed by msg pointer if
copy_to_user fails.

Change-Id: I628e089d844a3e1818a1a550e77ac10f33640ac9
Acked-by: Mohammed Javid <mjavid@qti.qualcomm.com>
Signed-off-by: Utkarsh Saxena <usaxena@codeaurora.org>
This commit is contained in:
Utkarsh Saxena 2017-04-03 13:21:58 +05:30
parent 44f5f07cfc
commit d13d6d6893
2 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
drivers/platform/msm/ipa/ipa_v2/ipa_intf.c
View file

@ -562,6 +562,8 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count,
mutex_unlock(&ipa_ctx->msg_lock);
if (copy_to_user(buf, &msg->meta,
sizeof(struct ipa_msg_meta))) {
kfree(msg);
msg = NULL;
ret = -EFAULT;
break;
}
@ -570,6 +572,8 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count,
if (msg->buff) {
if (copy_to_user(buf, msg->buff,
msg->meta.msg_len)) {
kfree(msg);
msg = NULL;
ret = -EFAULT;
break;
}

4
drivers/platform/msm/ipa/ipa_v3/ipa_intf.c
View file

@ -572,6 +572,8 @@ ssize_t ipa3_read(struct file *filp, char __user *buf, size_t count,
if (copy_to_user(buf, &msg->meta,
sizeof(struct ipa_msg_meta))) {
ret = -EFAULT;
kfree(msg);
msg = NULL;
break;
}
buf += sizeof(struct ipa_msg_meta);
@ -580,6 +582,8 @@ ssize_t ipa3_read(struct file *filp, char __user *buf, size_t count,
if (copy_to_user(buf, msg->buff,
msg->meta.msg_len)) {
ret = -EFAULT;
kfree(msg);
msg = NULL;
break;
}
buf += msg->meta.msg_len;