Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b47931f3 authored by Mohit Aggarwal's avatar Mohit Aggarwal Committed by Manoj Prabhu B
Browse files

diag: Protect mask updates for memory device session 



Currently, there is a possibility of using already freed
memory device session members during mask updates. The
patch fixes the issue by adding proper protection.

CRs-Fixed: 2074264
Change-Id: Iff2009a498506ffe574655badfe0a0f9f0dece9a
Signed-off-by: default avatarMohit Aggarwal <maggarwa@codeaurora.org>
parent 8ee172f0

drivers/char/diag/diag_masks.c

+14 −0
Original line number Diff line number Diff line
@@ -752,7 +752,9 @@ static int diag_cmd_set_msg_mask(unsigned char *src_buf, int src_len, 
	for (i = 0; i < NUM_PERIPHERALS; i++) {

		if (!diag_check_update(i))

			continue;

		mutex_lock(&driver->md_session_lock);

		diag_send_msg_mask_update(i, req->ssid_first, req->ssid_last);

		mutex_unlock(&driver->md_session_lock);

	}

end:

	return write_len;
@@ -814,7 +816,9 @@ static int diag_cmd_set_all_msg_mask(unsigned char *src_buf, int src_len, 
	for (i = 0; i < NUM_PERIPHERALS; i++) {

		if (!diag_check_update(i))

			continue;

		mutex_lock(&driver->md_session_lock);

		diag_send_msg_mask_update(i, ALL_SSID, ALL_SSID);

		mutex_unlock(&driver->md_session_lock);

	}



	return write_len;
@@ -908,7 +912,9 @@ static int diag_cmd_update_event_mask(unsigned char *src_buf, int src_len, 
	for (i = 0; i < NUM_PERIPHERALS; i++) {

		if (!diag_check_update(i))

			continue;

		mutex_lock(&driver->md_session_lock);

		diag_send_event_mask_update(i);

		mutex_unlock(&driver->md_session_lock);

	}



	return write_len;
@@ -955,7 +961,9 @@ static int diag_cmd_toggle_events(unsigned char *src_buf, int src_len, 
	for (i = 0; i < NUM_PERIPHERALS; i++) {

		if (!diag_check_update(i))

			continue;

		mutex_lock(&driver->md_session_lock);

		diag_send_event_mask_update(i);

		mutex_unlock(&driver->md_session_lock);

	}

	memcpy(dest_buf, &header, sizeof(header));

	write_len += sizeof(header);
@@ -1209,7 +1217,9 @@ static int diag_cmd_set_log_mask(unsigned char *src_buf, int src_len, 
	for (i = 0; i < NUM_PERIPHERALS; i++) {

		if (!diag_check_update(i))

			continue;

		mutex_lock(&driver->md_session_lock);

		diag_send_log_mask_update(i, req->equip_id);

		mutex_unlock(&driver->md_session_lock);

	}

end:

	return write_len;
@@ -1260,7 +1270,9 @@ static int diag_cmd_disable_log_mask(unsigned char *src_buf, int src_len, 
	for (i = 0; i < NUM_PERIPHERALS; i++) {

		if (!diag_check_update(i))

			continue;

		mutex_lock(&driver->md_session_lock);

		diag_send_log_mask_update(i, ALL_EQUIP_ID);

		mutex_unlock(&driver->md_session_lock);

	}



	return write_len;
@@ -1923,9 +1935,11 @@ void diag_send_updates_peripheral(uint8_t peripheral) 
	diag_send_feature_mask_update(peripheral);

	if (driver->time_sync_enabled)

		diag_send_time_sync_update(peripheral);

	mutex_lock(&driver->md_session_lock);

	diag_send_msg_mask_update(peripheral, ALL_SSID, ALL_SSID);

	diag_send_log_mask_update(peripheral, ALL_EQUIP_ID);

	diag_send_event_mask_update(peripheral);

	mutex_unlock(&driver->md_session_lock);

	diag_send_real_time_update(peripheral,

				driver->real_time_mode[DIAG_LOCAL_PROC]);

	diag_send_peripheral_buffering_mode(