dfc: fix use-after-free (21e13df8) · Commits · e / devices / android_kernel_fairphone_FP5

core/dfc_qmap.c

+6 −3

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
		* Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
		*/

		#include <net/pkt_sched.h>
		@@ -139,11 +140,13 @@ static void dfc_qmap_send_cmd(struct sk_buff *skb)
		{
		trace_dfc_qmap(skb->data, skb->len, false);

		if (unlikely(!rmnet_ctl \|\| !rmnet_ctl->send) \|\|
		rmnet_ctl->send(rmnet_ctl_handle, skb)) {
		pr_err("Failed to send to rmnet ctl\n");
		if (unlikely(!rmnet_ctl \|\| !rmnet_ctl->send)) {
		kfree_skb(skb);
		return;
		}

		if (rmnet_ctl->send(rmnet_ctl_handle, skb))
		pr_err("Failed to send to rmnet ctl\n");
		}

		static void dfc_qmap_send_inband_ack(struct dfc_qmi_data *dfc,

+7 −2

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/* Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
		* Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
		*
		* RMNET_CTL client handlers
		*
		@@ -171,8 +172,10 @@ int rmnet_ctl_send_client(void handle, struct sk_buff skb)
		struct rmnet_ctl_dev *dev;
		int rc = -EINVAL;

		if (client != rcu_dereference(ctl_ep.client))
		if (client != rcu_dereference(ctl_ep.client)) {
		kfree_skb(skb);
		return rc;
		}

		rmnet_ctl_log_info("TX", skb->data, skb->len);

		@@ -181,11 +184,13 @@ int rmnet_ctl_send_client(void handle, struct sk_buff skb)
		dev = rcu_dereference(ctl_ep.dev);
		if (dev && dev->xmit)
		rc = dev->xmit(dev, skb);
		else
		kfree_skb(skb);

		rcu_read_unlock();

		if (rc)
		rmnet_ctl_log_err("TXE", rc, skb->data, skb->len);
		rmnet_ctl_log_err("TXE", rc, NULL, 0);

		return rc;
		}