From 4d1903a891b439b8bbe248144ee40d6c962fd021 Mon Sep 17 00:00:00 2001 From: Satya Durga Srinivasu Prabhala Date: Tue, 21 Feb 2017 13:34:06 -0800 Subject: soc: qcom: sysmon-qmi: fix object corruption due to use after free While executing multimedia tests which include ADSP SSR testing, below object corruption observed due to use after free condition. Add mutex lock to fix the issue. =============================================== BUG kmalloc-1024 (Tainted: G W O ): \ Poison overwritten ----------------------------------------------- INFO: 0xffffffc030db0cb0-0xffffffc030db0cba. \ First byte 0xff instead of 0x6b INFO: Allocated in qmi_handle_create+0x4c/0x320 \ age=14486 cpu=4 pid=32505 alloc_debug_processing+0x138/0x18c ___slab_alloc.constprop.61+0x4ec/0x5d0 __slab_alloc.isra.58.constprop.60+0x48/0x74 kmem_cache_alloc_trace+0xd4/0x25c qmi_handle_create+0x4c/0x320 sysmon_clnt_svc_arrive+0x34/0xe4 process_one_work+0x234/0x40c worker_thread+0x2e0/0x410 kthread+0xf4/0xfc ret_from_fork+0x10/0x40 INFO: Freed in qmi_handle_destroy+0x154/0x16c \ age=1159 cpu=4 pid=3784 free_debug_processing+0x290/0x368 __slab_free+0x74/0x3ac kfree+0x21c/0x290 qmi_handle_destroy+0x154/0x16c sysmon_clnt_svc_exit+0x20/0x30 process_one_work+0x234/0x40c worker_thread+0x2e0/0x410 kthread+0xf4/0xfc ret_from_fork+0x10/0x40 CRs-Fixed: 2009777 Change-Id: If3730f5f972424d49d43d552b7fd1a28e4e0b794 Signed-off-by: Satya Durga Srinivasu Prabhala --- drivers/soc/qcom/sysmon-qmi.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/soc/qcom/sysmon-qmi.c b/drivers/soc/qcom/sysmon-qmi.c index 7ef69b527ef8..1063b96d8d83 100644 --- a/drivers/soc/qcom/sysmon-qmi.c +++ b/drivers/soc/qcom/sysmon-qmi.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved. + * Copyright (c) 2014-2015, 2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -153,10 +153,12 @@ static void sysmon_clnt_svc_arrive(struct work_struct *work) struct sysmon_qmi_data *data = container_of(work, struct sysmon_qmi_data, svc_arrive); + mutex_lock(&sysmon_lock); /* Create a Local client port for QMI communication */ data->clnt_handle = qmi_handle_create(sysmon_clnt_notify, work); if (!data->clnt_handle) { pr_err("QMI client handle alloc failed for %s\n", data->name); + mutex_unlock(&sysmon_lock); return; } @@ -167,6 +169,7 @@ static void sysmon_clnt_svc_arrive(struct work_struct *work) data->name); qmi_handle_destroy(data->clnt_handle); data->clnt_handle = NULL; + mutex_unlock(&sysmon_lock); return; } pr_info("Connection established between QMI handle and %s's SSCTL service\n" @@ -177,6 +180,7 @@ static void sysmon_clnt_svc_arrive(struct work_struct *work) if (rc < 0) pr_warn("%s: Could not register the indication callback\n", data->name); + mutex_unlock(&sysmon_lock); } static void sysmon_clnt_svc_exit(struct work_struct *work) @@ -184,8 +188,10 @@ static void sysmon_clnt_svc_exit(struct work_struct *work) struct sysmon_qmi_data *data = container_of(work, struct sysmon_qmi_data, svc_exit); + mutex_lock(&sysmon_lock); qmi_handle_destroy(data->clnt_handle); data->clnt_handle = NULL; + mutex_unlock(&sysmon_lock); } static void sysmon_clnt_recv_msg(struct work_struct *work) -- cgit v1.2.3