Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1c780486 authored by Conner Huff's avatar Conner Huff Committed by Gerrit - the friendly Code Review server
Browse files

soc: dfc: fix use-after-free 



There is a race condition when dfc_qmi_query_flow tries
to access the dfc client data while the dfc client is
exiting due to SSR, which results in a use-after-free.
To fix it, we will check a new flag dfc_client_exiting[i]
before accessing dfc_qmi_query_flow. Once the work is started,
dfc client will not be deleted until it is done and the
workqueue is flushed.

Change-Id: I76ab4a99b3f46cddd0ab1b1ba471c04417f57e94
Acked-by: default avatarNing Cai <ncai@qti.qualcomm.com>
Signed-off-by: default avatarConner Huff <chuff@codeaurora.org>
parent 9c37100a

drivers/soc/qcom/qmi_rmnet.c

+4 −1
Original line number Diff line number Diff line
@@ -461,7 +461,8 @@ static void qmi_rmnet_query_flows(struct qmi_info *qmi) 
	int i;



	for (i = 0; i < MAX_CLIENT_NUM; i++) {

		if (qmi->dfc_clients[i] && !dfc_qmap)

		if (qmi->dfc_clients[i] && !dfc_qmap &&

		    !qmi->dfc_client_exiting[i])

			dfc_qmi_query_flow(qmi->dfc_clients[i]);

	}

}
@@ -537,6 +538,7 @@ qmi_rmnet_setup_client(void *port, struct qmi_info *qmi, struct tcmsg *tcm) 
			err = dfc_qmap_client_init(port, idx, &svc, qmi);

		else

			err = dfc_qmi_client_init(port, idx, &svc, qmi);

		qmi->dfc_client_exiting[idx] = false;

	}



	if ((tcm->tcm_ifindex & FLAG_POWERSAVE_MASK) &&
@@ -597,6 +599,7 @@ qmi_rmnet_delete_client(void *port, struct qmi_info *qmi, struct tcmsg *tcm) 
		qmi->wda_client = NULL;

		qmi->wda_pending = NULL;

	} else {

		qmi->dfc_client_exiting[idx] = true;

		qmi_rmnet_flush_ps_wq();

	}

drivers/soc/qcom/qmi_rmnet_i.h

+1 −0
Original line number Diff line number Diff line
@@ -80,6 +80,7 @@ struct qmi_info { 
	void *wda_pending;

	void *dfc_clients[MAX_CLIENT_NUM];

	void *dfc_pending[MAX_CLIENT_NUM];

	bool dfc_client_exiting[MAX_CLIENT_NUM];

	unsigned long ps_work_active;

	bool ps_enabled;

	bool dl_msg_active;