diff options
| author | Mohit Aggarwal <maggarwa@codeaurora.org> | 2015-12-24 14:09:15 +0530 |
|---|---|---|
| committer | David Keitel <dkeitel@codeaurora.org> | 2016-03-23 21:16:13 -0700 |
| commit | 86e3a9baf291465bdfb50bf7b6b6188ab95866b8 (patch) | |
| tree | e7f0cfbaf8310266e0b5cf5acb61d27fb676fd28 /drivers/char/diag | |
| parent | 5e06ef126415dc22640f7d99b74136fae0d52a20 (diff) | |
diag: Rectify possible double free in memory device mode
Currently, there is a possibility of double freeing the
buffer in memory device mode. This patch protects the
buffer properly and also does the required cleanup once
buffer will be freed.
Change-Id: Ia016884bff4d41f2f8c59a547bd00a862c477e01
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
Diffstat (limited to 'drivers/char/diag')
| -rw-r--r-- | drivers/char/diag/diag_memorydevice.c | 7 | ||||
| -rw-r--r-- | drivers/char/diag/diagfwd.c | 1 |
2 files changed, 6 insertions, 2 deletions
diff --git a/drivers/char/diag/diag_memorydevice.c b/drivers/char/diag/diag_memorydevice.c index d89b3f319abd..7bc5bb1bd577 100644 --- a/drivers/char/diag/diag_memorydevice.c +++ b/drivers/char/diag/diag_memorydevice.c @@ -109,11 +109,11 @@ void diag_md_close_all() * internal buffers in the table so that there are no stale * entries. */ + spin_lock_irqsave(&ch->lock, flags); for (j = 0; j < ch->num_tbl_entries; j++) { entry = &ch->tbl[j]; if (entry->len <= 0) continue; - spin_lock_irqsave(&ch->lock, flags); if (ch->ops && ch->ops->write_done) ch->ops->write_done(entry->buf, entry->len, entry->ctx, @@ -121,9 +121,9 @@ void diag_md_close_all() entry->buf = NULL; entry->len = 0; entry->ctx = 0; + } spin_unlock_irqrestore(&ch->lock, flags); } - } diag_ws_reset(DIAG_WS_MUX); } @@ -329,6 +329,9 @@ int diag_md_close_peripheral(int id, uint8_t peripheral) ch->ops->write_done(entry->buf, entry->len, entry->ctx, DIAG_MEMORY_DEVICE_MODE); + entry->buf = NULL; + entry->len = 0; + entry->ctx = 0; } } spin_unlock_irqrestore(&ch->lock, flags); diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c index fbc06a14553c..9c238d621f6e 100644 --- a/drivers/char/diag/diagfwd.c +++ b/drivers/char/diag/diagfwd.c @@ -1489,6 +1489,7 @@ static int diagfwd_mux_write_done(unsigned char *buf, int len, int buf_ctxt, } else if (peripheral == APPS_DATA) { diagmem_free(driver, (unsigned char *)buf, POOL_TYPE_HDLC); + buf = NULL; } else { pr_err_ratelimited("diag: Invalid peripheral %d in %s, type: %d\n", peripheral, __func__, type); |