diff options
| author | Mohammed Javid <mjavid@codeaurora.org> | 2017-06-15 18:39:07 +0530 |
|---|---|---|
| committer | Mohammed Javid <mjavid@codeaurora.org> | 2017-06-19 10:50:56 +0530 |
| commit | a950cd0068fbad7dd594d4b95411cfc3279c225a (patch) | |
| tree | be2d342ec55ae158099cae263543ab2f8ad51c26 /drivers/platform | |
| parent | f19eadaabed4e671d0843ddd1bb72fbd530cd9db (diff) | |
msm:ipa: Fix to kasan use-after-free issue
Added mutex lock to query rt table function also to sync
with other ioctl calls in both ipa v2/v3.
Change-Id: I65d46c0ef28b5e6260c92473fd15e9763de20146
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Diffstat (limited to 'drivers/platform')
| -rw-r--r-- | drivers/platform/msm/ipa/ipa_v2/ipa_rt.c | 6 | ||||
| -rw-r--r-- | drivers/platform/msm/ipa/ipa_v3/ipa_rt.c | 7 |
2 files changed, 10 insertions, 3 deletions
diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c b/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c index 2214dfe89df3..f2909110d09f 100644 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c @@ -857,12 +857,16 @@ int ipa2_query_rt_index(struct ipa_ioc_get_rt_tbl_indx *in) return -EINVAL; } + mutex_lock(&ipa_ctx->lock); /* check if this table exists */ entry = __ipa_find_rt_tbl(in->ip, in->name); - if (!entry) + if (!entry) { + mutex_unlock(&ipa_ctx->lock); return -EFAULT; + } in->idx = entry->idx; + mutex_unlock(&ipa_ctx->lock); return 0; } diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c b/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c index 7212ba2a165c..6197c9f64ca5 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c @@ -727,12 +727,15 @@ int ipa3_query_rt_index(struct ipa_ioc_get_rt_tbl_indx *in) return -EINVAL; } + mutex_lock(&ipa3_ctx->lock); /* check if this table exists */ entry = __ipa3_find_rt_tbl(in->ip, in->name); - if (!entry) + if (!entry) { + mutex_unlock(&ipa3_ctx->lock); return -EFAULT; - + } in->idx = entry->idx; + mutex_unlock(&ipa3_ctx->lock); return 0; } |