Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f10594b5 authored by Linux Build Service Account's avatar Linux Build Service Account Committed by Gerrit - the friendly Code Review server
Browse files

Merge "icnss: fix the memory and kernel info leak due to the race condition"

parents 6ac9ecb4 b728ff01
Loading
Loading
Loading
Loading
+11 −1
Original line number Diff line number Diff line
@@ -461,6 +461,7 @@ static struct icnss_priv {
	u8 requesting_sub_system;
	u16 line_number;
	char function_name[QMI_WLFW_FUNCTION_NAME_LEN_V01 + 1];
	struct mutex dev_lock;
} *penv;

#ifdef CONFIG_ICNSS_DEBUG
@@ -4069,12 +4070,14 @@ static int icnss_regread_show(struct seq_file *s, void *data)
{
	struct icnss_priv *priv = s->private;

	mutex_lock(&priv->dev_lock);
	if (!priv->diag_reg_read_buf) {
		seq_puts(s, "Usage: echo <mem_type> <offset> <data_len> > <debugfs>/icnss/reg_read\n");

		if (!test_bit(ICNSS_FW_READY, &priv->state))
			seq_puts(s, "Firmware is not ready yet!, wait for FW READY\n");

		mutex_unlock(&priv->dev_lock);
		return 0;
	}

@@ -4088,6 +4091,7 @@ static int icnss_regread_show(struct seq_file *s, void *data)
	priv->diag_reg_read_len = 0;
	kfree(priv->diag_reg_read_buf);
	priv->diag_reg_read_buf = NULL;
	mutex_unlock(&priv->dev_lock);

	return 0;
}
@@ -4148,18 +4152,22 @@ static ssize_t icnss_regread_write(struct file *fp, const char __user *user_buf,
	    data_len > QMI_WLFW_MAX_DATA_SIZE_V01)
		return -EINVAL;

	mutex_lock(&priv->dev_lock);
	kfree(priv->diag_reg_read_buf);
	priv->diag_reg_read_buf = NULL;

	reg_buf = kzalloc(data_len, GFP_KERNEL);
	if (!reg_buf)
	if (!reg_buf) {
		mutex_unlock(&priv->dev_lock);
		return -ENOMEM;
	}

	ret = wlfw_athdiag_read_send_sync_msg(priv, reg_offset,
					      mem_type, data_len,
					      reg_buf);
	if (ret) {
		kfree(reg_buf);
		mutex_unlock(&priv->dev_lock);
		return ret;
	}

@@ -4167,6 +4175,7 @@ static ssize_t icnss_regread_write(struct file *fp, const char __user *user_buf,
	priv->diag_reg_read_mem_type = mem_type;
	priv->diag_reg_read_len = data_len;
	priv->diag_reg_read_buf = reg_buf;
	mutex_unlock(&priv->dev_lock);

	return count;
}
@@ -4446,6 +4455,7 @@ static int icnss_probe(struct platform_device *pdev)

	spin_lock_init(&priv->event_lock);
	spin_lock_init(&priv->on_off_lock);
	mutex_init(&priv->dev_lock);

	priv->event_wq = alloc_workqueue("icnss_driver_event", WQ_UNBOUND, 1);
	if (!priv->event_wq) {