haven: dbl: Fix use-after-free in tx/rx unregister (beb519f7) · Commits · e / devices / android_kernel_fairphone_FP5

drivers/virt/haven/hh_dbl.c

+6 −6

Original line number	Original line	Diff line number	Diff line
	@@ -443,6 +443,9 @@ int hh_dbl_tx_unregister(void *dbl_client_desc)
	return -EINVAL;		return -EINVAL;
	}		}

			pr_debug("%s: Unregistering client for label: %d\n",
			__func__, client_desc->label);

	/* Rx client still holding the "client_desc". Do not remove now. */		/* Rx client still holding the "client_desc". Do not remove now. */
	if (!cap_table_entry->rx_reg_done) {		if (!cap_table_entry->rx_reg_done) {
	cap_table_entry->client_desc = NULL;		cap_table_entry->client_desc = NULL;
	@@ -454,9 +457,6 @@ int hh_dbl_tx_unregister(void *dbl_client_desc)
	cap_table_entry->tx_reg_done = 0;		cap_table_entry->tx_reg_done = 0;
	mutex_unlock(&cap_table_entry->cap_entry_lock);		mutex_unlock(&cap_table_entry->cap_entry_lock);

	pr_debug("%s: Unregistered client for label: %d\n",
	__func__, client_desc->label);

	return 0;		return 0;
	}		}
	EXPORT_SYMBOL(hh_dbl_tx_unregister);		EXPORT_SYMBOL(hh_dbl_tx_unregister);
	@@ -494,6 +494,9 @@ int hh_dbl_rx_unregister(void *dbl_client_desc)
	return -EINVAL;		return -EINVAL;
	}		}

			pr_debug("%s: Unregistering client for label: %d\n", __func__,
			client_desc->label);

	/* Tx client still holding the "client_desc". Do not remove now.*/		/* Tx client still holding the "client_desc". Do not remove now.*/
	if (!cap_table_entry->tx_reg_done) {		if (!cap_table_entry->tx_reg_done) {
	cap_table_entry->client_desc = NULL;		cap_table_entry->client_desc = NULL;
	@@ -508,9 +511,6 @@ int hh_dbl_rx_unregister(void *dbl_client_desc)

	mutex_unlock(&cap_table_entry->cap_entry_lock);		mutex_unlock(&cap_table_entry->cap_entry_lock);

	pr_debug("%s: Unregistered client for label: %d\n", __func__,
	client_desc->label);

	return 0;		return 0;
	}		}
	EXPORT_SYMBOL(hh_dbl_rx_unregister);		EXPORT_SYMBOL(hh_dbl_rx_unregister);