soc: qcom: ipc_router_smd_xprt: Set pointer to NULL after free

in_pkt pointer is holding dangling pointer address even after calling
release_pkt() which causing use-after-free.

Set the in_pkt pointer to NULL after free.

CRs-Fixed: 2210859
Change-Id: If5e01c0109c947e52f3ff269c9b2b50ac0dc2bdf
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>

1 files changed, 5 insertions, 2 deletions

diff --git a/drivers/soc/qcom/ipc_router_smd_xprt.c b/drivers/soc/qcom/ipc_router_smd_xprt.c
index a94e81556027..6e17f0b9cc31 100644
--- a/drivers/soc/qcom/ipc_router_smd_xprt.c
+++ b/drivers/soc/qcom/ipc_router_smd_xprt.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2015, 2018, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -294,8 +294,10 @@ static void smd_xprt_read_data(struct work_struct *work)
 	spin_lock_irqsave(&smd_xprtp->ss_reset_lock, flags);
 	if (smd_xprtp->ss_reset) {
 		spin_unlock_irqrestore(&smd_xprtp->ss_reset_lock, flags);
-		if (smd_xprtp->in_pkt)
+		if (smd_xprtp->in_pkt) {
 			release_pkt(smd_xprtp->in_pkt);
+			smd_xprtp->in_pkt = NULL;
+		}
 		smd_xprtp->is_partial_in_pkt = 0;
 		IPC_RTR_ERR("%s: %s channel reset\n",
 			__func__, smd_xprtp->xprt.name);
@@ -348,6 +350,7 @@ static void smd_xprt_read_data(struct work_struct *work)
 				__func__, smd_xprtp->xprt.name);
 			kfree_skb(ipc_rtr_pkt);
 			release_pkt(smd_xprtp->in_pkt);
+			smd_xprtp->in_pkt = NULL;
 			smd_xprtp->is_partial_in_pkt = 0;
 			return;
 		}