Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 69e24e2b authored by Nirmal Abraham's avatar Nirmal Abraham
Browse files

msm: camera: reqmgr: Avoid freeing subdev twice 



The 'l_device' pointer in __cam_req_mgr_destroy_subdev is
set to NULL after freeing but this is done on a
local copy of the variable in stack. This results in
double-free when this function is called again. To avoid
this, pass 'l_device' pointer by reference and assign it
to NULL after freeing.

CRs-Fixed: 3120468
Change-Id: If2dde5f1c702bae26a3c7a68c2f35bafcf0f7ce6
Signed-off-by: default avatarNirmal Abraham <quic_c_nabrah@quicinc.com>
parent 32b3852d

drivers/media/platform/msm/camera_v3/cam_req_mgr/cam_req_mgr_core.c

+10 −6
Original line number Diff line number Diff line 
/* Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -1614,10 +1615,13 @@ static int __cam_req_mgr_create_subdevs( 
 *

 */

static void __cam_req_mgr_destroy_subdev(

	struct cam_req_mgr_connected_device *l_device)

	struct cam_req_mgr_connected_device **l_device)

{

	kfree(l_device);

	l_device = NULL;

	CAM_DBG(CAM_CRM, "*l_device %pK", *l_device);

	if (*(l_device) != NULL) {

		kfree(*(l_device));

		*l_device = NULL;

	}

}



/**
@@ -2806,7 +2810,7 @@ static int __cam_req_mgr_unlink(struct cam_req_mgr_core_link *link) 
	__cam_req_mgr_destroy_link_info(link);



	/* Free memory holding data of linked devs */

	__cam_req_mgr_destroy_subdev(link->l_dev);

	__cam_req_mgr_destroy_subdev(&link->l_dev);



	/* Destroy the link handle */

	rc = cam_destroy_device_hdl(link->link_hdl);
@@ -2969,7 +2973,7 @@ int cam_req_mgr_link(struct cam_req_mgr_ver_info *link_info) 
	mutex_unlock(&g_crm_core_dev->crm_lock);

	return rc;

setup_failed:

	__cam_req_mgr_destroy_subdev(link->l_dev);

	__cam_req_mgr_destroy_subdev(&link->l_dev);

create_subdev_failed:

	cam_destroy_device_hdl(link->link_hdl);

	link_info->u.link_info_v1.link_hdl = -1;
@@ -3078,7 +3082,7 @@ int cam_req_mgr_link_v2(struct cam_req_mgr_ver_info *link_info) 
	mutex_unlock(&g_crm_core_dev->crm_lock);

	return rc;

setup_failed:

	__cam_req_mgr_destroy_subdev(link->l_dev);

	__cam_req_mgr_destroy_subdev(&link->l_dev);

create_subdev_failed:

	cam_destroy_device_hdl(link->link_hdl);

	link_info->u.link_info_v2.link_hdl = -1;