Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5abe1e4a authored by Nirmal Abraham's avatar Nirmal Abraham Committed by Sridhar Gujje
Browse files

msm: camera: reqmgr: Avoid freeing subdev twice 



The 'l_device' pointer in __cam_req_mgr_destroy_subdev is
set to NULL after freeing but this is done on a
local copy of the variable in stack. This results in
double-free when this function is called again. To avoid
this, pass 'l_device' pointer by reference and assign it
to NULL after freeing.

CRs-Fixed: 3120468
Change-Id: If2dde6f1c702bee26a3c8a68c2f45bafbf0f7cd6
Signed-off-by: default avatarNirmal Abraham <quic_c_nabrah@quicinc.com>
Signed-off-by: default avatarSridhar Gujje <quic_sgujje@quicinc.com>
parent b8109b2e

drivers/cam_req_mgr/cam_req_mgr_core.c

+10 −6
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.

 */



#include <linux/module.h>
@@ -1886,10 +1887,13 @@ static int __cam_req_mgr_create_subdevs( 
 *

 */

static void __cam_req_mgr_destroy_subdev(

	struct cam_req_mgr_connected_device *l_device)

	struct cam_req_mgr_connected_device **l_device)

{

	kfree(l_device);

	l_device = NULL;

	CAM_DBG(CAM_CRM, "*l_device %pK", *l_device);

	if (*(l_device) != NULL) {

		kfree(*(l_device));

		*l_device = NULL;

	}

}



/**
@@ -3340,7 +3344,7 @@ static int __cam_req_mgr_unlink(struct cam_req_mgr_core_link *link) 
	__cam_req_mgr_destroy_link_info(link);

	/* Free memory holding data of linked devs */



	__cam_req_mgr_destroy_subdev(link->l_dev);

	__cam_req_mgr_destroy_subdev(&link->l_dev);



	/* Destroy the link handle */

	rc = cam_destroy_device_hdl(link->link_hdl);
@@ -3511,7 +3515,7 @@ int cam_req_mgr_link(struct cam_req_mgr_ver_info *link_info) 
	mutex_unlock(&g_crm_core_dev->crm_lock);

	return rc;

setup_failed:

	__cam_req_mgr_destroy_subdev(link->l_dev);

	__cam_req_mgr_destroy_subdev(&link->l_dev);

create_subdev_failed:

	cam_destroy_device_hdl(link->link_hdl);

	link_info->u.link_info_v1.link_hdl = -1;
@@ -3621,7 +3625,7 @@ int cam_req_mgr_link_v2(struct cam_req_mgr_ver_info *link_info) 
	mutex_unlock(&g_crm_core_dev->crm_lock);

	return rc;

setup_failed:

	__cam_req_mgr_destroy_subdev(link->l_dev);

	__cam_req_mgr_destroy_subdev(&link->l_dev);

create_subdev_failed:

	cam_destroy_device_hdl(link->link_hdl);

	link_info->u.link_info_v2.link_hdl = -1;