diag: dci: Fix possible dangling reference
This patch prevents the arise of dangling pointer after
kfree operation on pointer.
CRs-Fixed: 1083444
Change-Id: Ie2702223379b9c77ce4fe30376d446c63223dbc8
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
This commit is contained in:
Manoj Prabhu B
Gerrit - the friendly Code Review server
parent
7aada1c608
commit
f7ae4042cd
1 changed files with 26 additions and 0 deletions
|
|
@ -771,6 +771,7 @@ static int diag_dci_remove_req_entry(unsigned char *buf, int len,
|
|||
if (*buf != 0x80) {
|
||||
list_del(&entry->track);
|
||||
kfree(entry);
|
||||
entry = NULL;
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
@ -788,6 +789,7 @@ static int diag_dci_remove_req_entry(unsigned char *buf, int len,
|
|||
if (delayed_rsp_id == 0) {
|
||||
list_del(&entry->track);
|
||||
kfree(entry);
|
||||
entry = NULL;
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
@ -801,6 +803,7 @@ static int diag_dci_remove_req_entry(unsigned char *buf, int len,
|
|||
if (rsp_count > 0 && rsp_count < 0x1000) {
|
||||
list_del(&entry->track);
|
||||
kfree(entry);
|
||||
entry = NULL;
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
@ -2682,10 +2685,12 @@ int diag_dci_init(void)
|
|||
err:
|
||||
pr_err("diag: Could not initialize diag DCI buffers");
|
||||
kfree(driver->apps_dci_buf);
|
||||
driver->apps_dci_buf = NULL;
|
||||
|
||||
if (driver->diag_dci_wq)
|
||||
destroy_workqueue(driver->diag_dci_wq);
|
||||
kfree(partial_pkt.data);
|
||||
partial_pkt.data = NULL;
|
||||
mutex_destroy(&driver->dci_mutex);
|
||||
mutex_destroy(&dci_log_mask_mutex);
|
||||
mutex_destroy(&dci_event_mask_mutex);
|
||||
|
|
@ -2705,7 +2710,9 @@ void diag_dci_channel_init(void)
|
|||
void diag_dci_exit(void)
|
||||
{
|
||||
kfree(partial_pkt.data);
|
||||
partial_pkt.data = NULL;
|
||||
kfree(driver->apps_dci_buf);
|
||||
driver->apps_dci_buf = NULL;
|
||||
mutex_destroy(&driver->dci_mutex);
|
||||
mutex_destroy(&dci_log_mask_mutex);
|
||||
mutex_destroy(&dci_event_mask_mutex);
|
||||
|
|
@ -2917,22 +2924,30 @@ fail_alloc:
|
|||
mutex_destroy(&proc_buf->health_mutex);
|
||||
if (proc_buf->buf_primary) {
|
||||
kfree(proc_buf->buf_primary->data);
|
||||
proc_buf->buf_primary->data = NULL;
|
||||
mutex_destroy(
|
||||
&proc_buf->buf_primary->data_mutex);
|
||||
}
|
||||
kfree(proc_buf->buf_primary);
|
||||
proc_buf->buf_primary = NULL;
|
||||
if (proc_buf->buf_cmd) {
|
||||
kfree(proc_buf->buf_cmd->data);
|
||||
proc_buf->buf_cmd->data = NULL;
|
||||
mutex_destroy(
|
||||
&proc_buf->buf_cmd->data_mutex);
|
||||
}
|
||||
kfree(proc_buf->buf_cmd);
|
||||
proc_buf->buf_cmd = NULL;
|
||||
}
|
||||
}
|
||||
kfree(new_entry->dci_event_mask);
|
||||
new_entry->dci_event_mask = NULL;
|
||||
kfree(new_entry->dci_log_mask);
|
||||
new_entry->dci_log_mask = NULL;
|
||||
kfree(new_entry->buffers);
|
||||
new_entry->buffers = NULL;
|
||||
kfree(new_entry);
|
||||
new_entry = NULL;
|
||||
}
|
||||
mutex_unlock(&driver->dci_mutex);
|
||||
return DIAG_DCI_NO_REG;
|
||||
|
|
@ -2963,6 +2978,7 @@ int diag_dci_deinit_client(struct diag_dci_client_tbl *entry)
|
|||
* masks and send the masks to peripherals
|
||||
*/
|
||||
kfree(entry->dci_log_mask);
|
||||
entry->dci_log_mask = NULL;
|
||||
diag_dci_invalidate_cumulative_log_mask(token);
|
||||
if (token == DCI_LOCAL_PROC)
|
||||
diag_update_userspace_clients(DCI_LOG_MASKS_TYPE);
|
||||
|
|
@ -2971,6 +2987,7 @@ int diag_dci_deinit_client(struct diag_dci_client_tbl *entry)
|
|||
return ret;
|
||||
}
|
||||
kfree(entry->dci_event_mask);
|
||||
entry->dci_event_mask = NULL;
|
||||
diag_dci_invalidate_cumulative_event_mask(token);
|
||||
if (token == DCI_LOCAL_PROC)
|
||||
diag_update_userspace_clients(DCI_EVENT_MASKS_TYPE);
|
||||
|
|
@ -2986,6 +3003,7 @@ int diag_dci_deinit_client(struct diag_dci_client_tbl *entry)
|
|||
if (!list_empty(&req_entry->track))
|
||||
list_del(&req_entry->track);
|
||||
kfree(req_entry);
|
||||
req_entry = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -3001,6 +3019,7 @@ int diag_dci_deinit_client(struct diag_dci_client_tbl *entry)
|
|||
buf_entry->data = NULL;
|
||||
mutex_unlock(&buf_entry->data_mutex);
|
||||
kfree(buf_entry);
|
||||
buf_entry = NULL;
|
||||
} else if (buf_entry->buf_type == DCI_BUF_CMD) {
|
||||
peripheral = buf_entry->data_source;
|
||||
if (peripheral == APPS_DATA)
|
||||
|
|
@ -3027,14 +3046,17 @@ int diag_dci_deinit_client(struct diag_dci_client_tbl *entry)
|
|||
mutex_unlock(&buf_entry->data_mutex);
|
||||
mutex_destroy(&buf_entry->data_mutex);
|
||||
kfree(buf_entry);
|
||||
buf_entry = NULL;
|
||||
}
|
||||
|
||||
mutex_lock(&proc_buf->buf_primary->data_mutex);
|
||||
kfree(proc_buf->buf_primary->data);
|
||||
proc_buf->buf_primary->data = NULL;
|
||||
mutex_unlock(&proc_buf->buf_primary->data_mutex);
|
||||
|
||||
mutex_lock(&proc_buf->buf_cmd->data_mutex);
|
||||
kfree(proc_buf->buf_cmd->data);
|
||||
proc_buf->buf_cmd->data = NULL;
|
||||
mutex_unlock(&proc_buf->buf_cmd->data_mutex);
|
||||
|
||||
mutex_destroy(&proc_buf->health_mutex);
|
||||
|
|
@ -3042,13 +3064,17 @@ int diag_dci_deinit_client(struct diag_dci_client_tbl *entry)
|
|||
mutex_destroy(&proc_buf->buf_cmd->data_mutex);
|
||||
|
||||
kfree(proc_buf->buf_primary);
|
||||
proc_buf->buf_primary = NULL;
|
||||
kfree(proc_buf->buf_cmd);
|
||||
proc_buf->buf_cmd = NULL;
|
||||
mutex_unlock(&proc_buf->buf_mutex);
|
||||
}
|
||||
mutex_destroy(&entry->write_buf_mutex);
|
||||
|
||||
kfree(entry->buffers);
|
||||
entry->buffers = NULL;
|
||||
kfree(entry);
|
||||
entry = NULL;
|
||||
|
||||
if (driver->num_dci_client == 0) {
|
||||
diag_update_proc_vote(DIAG_PROC_DCI, VOTE_DOWN, token);
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue