Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e6fa19ad authored by Manoj Prabhu B's avatar Manoj Prabhu B
Browse files

memshare: Free QMI handle only if its valid 



Avoid possible use-after-free access for a QMI handle
during driver deinit by ensuring the free happens only for
valid QMI handle and is marked NULL post free.

Change-Id: I4314dff560de2fc3aea30d636f935d7a02067a57
Signed-off-by: default avatarManoj Prabhu B <quic_bmanoj@quicinc.com>
parent 6401a855

drivers/soc/qcom/memshare/msm_memshare.c

+12 −4
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/* Copyright (c) 2013-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.

 */



#include <linux/err.h>
@@ -751,6 +752,7 @@ static void memshare_init_worker(struct work_struct *work) 
		dev_err(memsh_child->dev,

			"memshare: Creating mem_share_svc qmi handle failed\n");

		kfree(mem_share_svc_handle);

		mem_share_svc_handle = NULL;

		destroy_workqueue(mem_share_svc_workqueue);

		return;

	}
@@ -759,8 +761,11 @@ static void memshare_init_worker(struct work_struct *work) 
	if (rc < 0) {

		dev_err(memsh_child->dev,

			"memshare: Registering mem share svc failed %d\n", rc);

		if (mem_share_svc_handle) {

			qmi_handle_release(mem_share_svc_handle);

			kfree(mem_share_svc_handle);

			mem_share_svc_handle = NULL;

		}

		destroy_workqueue(mem_share_svc_workqueue);

		return;

	}
@@ -917,8 +922,11 @@ static int memshare_remove(struct platform_device *pdev) 
		return 0;



	flush_workqueue(mem_share_svc_workqueue);

	if (mem_share_svc_handle) {

		qmi_handle_release(mem_share_svc_handle);

		kfree(mem_share_svc_handle);

		mem_share_svc_handle = NULL;

	}

	destroy_workqueue(mem_share_svc_workqueue);

	return 0;

}