diff options
| author | Srinivas Girigowda <sgirigow@codeaurora.org> | 2017-02-14 19:10:47 -0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-02-16 22:06:45 -0800 |
| commit | 0ac5f6f2f221efb93fc0ddb1fec6487c76d95acd (patch) | |
| tree | d2ca2bc0a20f7bff1092d9129aa73ba3a25efda9 | |
| parent | 4bd9cfc78cb7a44ebdbf9f39d95b818da50209e1 (diff) | |
qcacld-2.0: Acquire lock to protect hdd_ctx in hdd_driver_memdump_read()
Two threads accessing the procfs entry might end up in race condition and
lead to use-after-free for hdd_ctx->driver_dump_mem.
Hence, acquire a lock to protect hdd_ctx.
Change-Id: If871f4ceadf650978e16b4a336f688a0dae1c494
CRs-Fixed: 2005832
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_memdump.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/CORE/HDD/src/wlan_hdd_memdump.c b/CORE/HDD/src/wlan_hdd_memdump.c index 44331071aaeb..778ec0736b80 100644 --- a/CORE/HDD/src/wlan_hdd_memdump.c +++ b/CORE/HDD/src/wlan_hdd_memdump.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2016 The Linux Foundation. All rights reserved. + * Copyright (c) 2015-2017 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -741,11 +741,14 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf, if (0 != status) return -EINVAL; + mutex_lock(&hdd_ctx->memdump_lock); if (*pos < 0) { + mutex_unlock(&hdd_ctx->memdump_lock); hddLog(LOGE, FL("Invalid start offset for memdump read")); return -EINVAL; } else if (!count || (hdd_ctx->driver_dump_size && (*pos >= hdd_ctx->driver_dump_size))) { + mutex_unlock(&hdd_ctx->memdump_lock); hddLog(LOGE, FL("No more data to copy")); return 0; } else if ((*pos == 0) || (hdd_ctx->driver_dump_mem == NULL)) { @@ -756,6 +759,7 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf, hdd_ctx->driver_dump_mem = vos_mem_malloc(DRIVER_MEM_DUMP_SIZE); if (!hdd_ctx->driver_dump_mem) { + mutex_unlock(&hdd_ctx->memdump_lock); hddLog(LOGE, FL("vos_mem_malloc failed")); return -ENOMEM; } @@ -784,6 +788,7 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf, if (copy_to_user(buf, hdd_ctx->driver_dump_mem + *pos, no_of_bytes_read)) { + mutex_unlock(&hdd_ctx->memdump_lock); hddLog(LOGE, FL("copy to user space failed")); return -EFAULT; } @@ -795,6 +800,8 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf, if (*pos >= hdd_ctx->driver_dump_size) hdd_driver_mem_cleanup(); + mutex_unlock(&hdd_ctx->memdump_lock); + return no_of_bytes_read; } |