From eb54351e063e3bef30aaa5d28f3d94886dc6ecc0 Mon Sep 17 00:00:00 2001
From: Hardik Arya <harya@codeaurora.org>
Date: Tue, 18 Jul 2017 13:38:26 +0530
Subject: [PATCH] diag: Add NULL pointer checks

Currently, there is a possibility of NULL pointer dereference
while accessing diag master table. The patch adds proper check
for null pointer while iterating over the list.

CRs-Fixed: 2077525
Change-Id: I51075b7a7f3acce0cb27822ad1acd8a5894cdaa9
Signed-off-by: Hardik Arya <harya@codeaurora.org>
---
 drivers/char/diag/diagchar_core.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
index afaedc99a4e7..5b7ac22e9eca 100644
--- a/drivers/char/diag/diagchar_core.c
+++ b/drivers/char/diag/diagchar_core.c
@@ -701,6 +701,11 @@ static void diag_cmd_invalidate_polling(int change_flag)
 	driver->polling_reg_flag = 0;
 	list_for_each_safe(start, temp, &driver->cmd_reg_list) {
 		item = list_entry(start, struct diag_cmd_reg_t, link);
+		if (&item->entry == NULL) {
+			pr_err("diag: In %s, unable to search command\n",
+			       __func__);
+			return;
+		}
 		polling = diag_cmd_chk_polling(&item->entry);
 		if (polling == DIAG_CMD_POLLING) {
 			driver->polling_reg_flag = 1;
@@ -842,6 +847,12 @@ void diag_cmd_remove_reg_by_pid(int pid)
 	mutex_lock(&driver->cmd_reg_mutex);
 	list_for_each_safe(start, temp, &driver->cmd_reg_list) {
 		item = list_entry(start, struct diag_cmd_reg_t, link);
+		if (&item->entry == NULL) {
+			pr_err("diag: In %s, unable to search command\n",
+			       __func__);
+			mutex_unlock(&driver->cmd_reg_mutex);
+			return;
+		}
 		if (item->pid == pid) {
 			list_del(&item->link);
 			kfree(item);
@@ -860,6 +871,12 @@ void diag_cmd_remove_reg_by_proc(int proc)
 	mutex_lock(&driver->cmd_reg_mutex);
 	list_for_each_safe(start, temp, &driver->cmd_reg_list) {
 		item = list_entry(start, struct diag_cmd_reg_t, link);
+		if (&item->entry == NULL) {
+			pr_err("diag: In %s, unable to search command\n",
+			       __func__);
+			mutex_unlock(&driver->cmd_reg_mutex);
+			return;
+		}
 		if (item->proc == proc) {
 			list_del(&item->link);
 			kfree(item);