diff options
| author | Manoj Prabhu B <quic_bmanoj@quicinc.com> | 2022-01-20 15:00:05 +0530 |
|---|---|---|
| committer | Jairaj Solanki <quic_jsolanki@quicinc.com> | 2022-09-19 19:08:01 +0530 |
| commit | e1085d1ef39b48a2bbef4e19ee7182a5c15421b0 (patch) | |
| tree | a6991d83e9bfcdf8e682416df6ebcb2a84a52fdc | |
| parent | 16802e80ecb58bd39ce55d2f29457455735b650e (diff) | |
diag: Ensure dci entry is valid before sending the packet
Possibility of a race condition which can free the dci entry
causing use after free case is prevented by adding the check
for entry's validity.
Change-Id: Ib436ffd16c266636d99885d6091eb1a6887737c7
Signed-off-by: Manoj Prabhu B <quic_bmanoj@quicinc.com>
| -rw-r--r-- | drivers/char/diag/diag_dci.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c index 1fe7fa0debcc..926689acc4e4 100644 --- a/drivers/char/diag/diag_dci.c +++ b/drivers/char/diag/diag_dci.c @@ -1,4 +1,5 @@ -/* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved. + * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -1615,7 +1616,6 @@ static int diag_send_dci_pkt(struct diag_cmd_reg_t *entry, return -EIO; } - mutex_lock(&driver->dci_mutex); /* prepare DCI packet */ header.start = CONTROL_CHAR; header.version = 1; @@ -1634,7 +1634,6 @@ static int diag_send_dci_pkt(struct diag_cmd_reg_t *entry, diag_update_pkt_buffer(driver->apps_dci_buf, write_len, DCI_PKT_TYPE); diag_update_sleeping_process(entry->pid, DCI_PKT_TYPE); - mutex_unlock(&driver->dci_mutex); return DIAG_DCI_NO_ERROR; } @@ -1654,7 +1653,6 @@ static int diag_send_dci_pkt(struct diag_cmd_reg_t *entry, entry->proc); status = DIAG_DCI_SEND_DATA_FAIL; } - mutex_unlock(&driver->dci_mutex); return status; } @@ -2115,8 +2113,11 @@ static int diag_process_dci_pkt_rsp(unsigned char *buf, int len) if (temp_entry) { reg_item = container_of(temp_entry, struct diag_cmd_reg_t, entry); - ret = diag_send_dci_pkt(reg_item, req_buf, req_len, + mutex_lock(&driver->dci_mutex); + if (req_entry) + ret = diag_send_dci_pkt(reg_item, req_buf, req_len, req_entry->tag); + mutex_unlock(&driver->dci_mutex); } else { DIAG_LOG(DIAG_DEBUG_DCI, "Command not found: %02x %02x %02x\n", reg_entry.cmd_code, reg_entry.subsys_id, |