Commit 3494711b authored Jan 16, 2017 by Satya Durga Srinivasu Prabhala Committed by Gerrit - the friendly Code Review server Feb 03, 2017

soc: qcom: service-notifier: fix object corruption



Below object corruption observed from service-notifier while executing
WLAN PDR tests. While executing WLAN PDR tests, Modem crashed, which
resulted into use after free condition. Add mutex lock to fix the issue.

   ===============================================
   BUG kmalloc-1024 (Tainted: G        W  O   ): \
                              Poison overwritten
   -----------------------------------------------

   INFO: 0xffffffc0ba5c4d30-0xffffffc0ba5c4d3a. \
                   First byte 0xff instead of 0x6b
   INFO: Allocated in qmi_handle_create+0x4c/0x320 \
                      age=80203 cpu=0 pid=27134
        alloc_debug_processing+0x124/0x178
        ___slab_alloc.constprop.62+0x4ec/0x5d0
        __slab_alloc.isra.59.constprop.61+0x48/0x74
        kmem_cache_alloc_trace+0xd4/0x25c
        qmi_handle_create+0x4c/0x320
        root_service_service_arrive+0x3c/0x1e8
        process_one_work+0x234/0x40c
        worker_thread+0x2e0/0x410
        kthread+0xf4/0xfc
        ret_from_fork+0x10/0x40
   INFO: Freed in qmi_handle_destroy+0x154/0x16c \
                              age=50 cpu=1 pid=22765
        free_debug_processing+0x27c/0x354
        __slab_free+0x74/0x3ac
        kfree+0x21c/0x290
        qmi_handle_destroy+0x154/0x16c
        root_service_service_exit+0xf0/0x110
        ssr_event_notify+0x74/0x84
        notifier_call_chain+0x58/0x8c
        __srcu_notifier_call_chain+0x9c/0xc0
        srcu_notifier_call_chain+0x38/0x44
        subsys_notif_queue_notification+0x40/0x54
        notify_each_subsys_device.isra.9+0x18c/0x1b0
        subsystem_restart_wq_func+0x2f4/0x5a8
        process_one_work+0x234/0x40c
        worker_thread+0x2e0/0x410
        kthread+0xf4/0xfc
        ret_from_fork+0x10/0x40

Change-Id: Iebc0871220547c2d6f026db1dffafe30b854b199
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>

parent 2d3f4807

drivers/soc/qcom/service-notifier.c

+5 −1

Original line number	Diff line number	Diff line
		/*
		* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
		* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -336,11 +336,13 @@ static void root_service_service_arrive(struct work_struct *work)
		int rc;
		int curr_state;

		mutex_lock(&qmi_client_release_lock);
		/* Create a Local client port for QMI communication */
		data->clnt_handle = qmi_handle_create(root_service_clnt_notify, work);
		if (!data->clnt_handle) {
		pr_err("QMI client handle alloc failed (instance-id: %d)\n",
		data->instance_id);
		mutex_unlock(&qmi_client_release_lock);
		return;
		}

		@@ -353,9 +355,11 @@ static void root_service_service_arrive(struct work_struct *work)
		data->instance_id, rc);
		qmi_handle_destroy(data->clnt_handle);
		data->clnt_handle = NULL;
		mutex_unlock(&qmi_client_release_lock);
		return;
		}
		data->service_connected = true;
		mutex_unlock(&qmi_client_release_lock);
		pr_info("Connection established between QMI handle and %d service\n",
		data->instance_id);
		/* Register for indication messages about service */