Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d0da75e0 authored by Mulu He's avatar Mulu He
Browse files

coresight: stm: Fix null point issue in stm 



use-after-free over the global variable .stmdrvdata cause NULL point error.
stm_register_device call fail will be deferred probe, this action will
release all devm_** managed resource, so the preset stm_set_ost_params
will be cleared, in this case, if any call function use the global
.stmdrvdata variable will cause problem.

Change-Id: I8b287389f47c0b131f26ff00eef3f4c1bb7e63cd
Signed-off-by: default avatarMulu He <muluhe@codeaurora.org>
parent 7bcb1bb4

drivers/hwtracing/coresight/coresight-ost.c

+2 −3
Original line number Diff line number Diff line 
/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.

/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -280,14 +280,13 @@ EXPORT_SYMBOL(stm_ost_packet); 


int stm_set_ost_params(struct stm_drvdata *drvdata, size_t bitmap_size)

{

	stmdrvdata = drvdata;



	drvdata->chs.bitmap = devm_kzalloc(drvdata->dev, bitmap_size,

					   GFP_KERNEL);

	if (!drvdata->chs.bitmap)

		return -ENOMEM;



	bitmap_fill(drvdata->entities, OST_ENTITY_MAX);

	stmdrvdata = drvdata;



	return 0;

}

drivers/hwtracing/coresight/coresight-stm.c

+6 −6
Original line number Diff line number Diff line 
/* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.

/* Copyright (c) 2015-2018, The Linux Foundation. All rights reserved.

 *

 * Description: CoreSight System Trace Macrocell driver

 *
@@ -839,11 +839,6 @@ static int stm_probe(struct amba_device *adev, const struct amba_id *id) 
	}

	bitmap_size = BITS_TO_LONGS(drvdata->numsp) * sizeof(long);



	/* Store the driver data pointer for use in exported functions */

	ret = stm_set_ost_params(drvdata, bitmap_size);

	if (ret)

		return ret;



	guaranteed = devm_kzalloc(dev, bitmap_size, GFP_KERNEL);

	if (!guaranteed)

		return -ENOMEM;
@@ -872,6 +867,11 @@ static int stm_probe(struct amba_device *adev, const struct amba_id *id) 
		goto stm_unregister;

	}



	/* Store the driver data pointer for use in exported functions */

	ret = stm_set_ost_params(drvdata, bitmap_size);

	if (ret)

		goto stm_unregister;



	pm_runtime_put(&adev->dev);



	dev_info(dev, "%s initialized\n", (char *)id->data);