msm: mhi_dev: Check to prevent in_use_list access (cdc28c2b) · Commits · e / devices / android_kernel_fairphone_FP5

drivers/platform/msm/mhi_dev/mhi_uci.c

+21 −16

Original line number	Diff line number	Diff line
		@@ -1181,8 +1181,10 @@ static int mhi_uci_client_release(struct inode *mhi_inode,
		count = 0;

		spin_lock_irqsave(&uci_handle->req_lock, flags);
		if (!(uci_handle->f_flags & O_SYNC)) {
		while (!(list_empty(&uci_handle->in_use_list))) {
		ureq = container_of(uci_handle->in_use_list.next,
		ureq = container_of(
		uci_handle->in_use_list.next,
		struct mhi_req, list);
		list_del_init(&ureq->list);
		ureq->is_stale = true;
		@@ -1192,6 +1194,7 @@ static int mhi_uci_client_release(struct inode *mhi_inode,
		list_add_tail(&ureq->list, &uci_handle->req_list);
		count++;
		}
		}
		spin_unlock_irqrestore(&uci_handle->req_lock, flags);
		if (count)
		uci_log(UCI_DBG_DBG,
		@@ -2091,7 +2094,8 @@ static void mhi_uci_at_ctrl_client_cb(struct mhi_dev_client_cb_data *cb_data)
		mhi_dev_close_channel(client->out_handle);
		mhi_dev_close_channel(client->in_handle);

		/* Add back reqs for in-use list, if any, to free list */
		/* Add back reqs from in-use list, if any, to free list */
		if (!(client->f_flags & O_SYNC)) {
		while (!(list_empty(&client->in_use_list))) {
		ureq = container_of(client->in_use_list.next,
		struct mhi_req, list);
		@@ -2099,6 +2103,7 @@ static void mhi_uci_at_ctrl_client_cb(struct mhi_dev_client_cb_data *cb_data)
		/* Add to in-use list */
		list_add_tail(&ureq->list, &client->req_list);
		}
		}

		for (i = 0; i < (client->in_chan_attr->nr_trbs); i++) {
		kfree(client->in_buf_list[i].addr);