Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1c680479 authored by Anmolpreet Kaur's avatar Anmolpreet Kaur Committed by Gerrit - the friendly Code Review server
Browse files

smcinvoke: Handle NULL dereference for cb_req 



When kernel fails to allocate memory for cb_req,
cb_req remains NULL. Going to out label is not required
since cb_txn till this point is also NULL.

Change-Id: I4f5d5bc9310a726878f306c8b65b131b4ca1e2f1
Signed-off-by: default avatarAnmolpreet Kaur <anmolpre@codeaurora.org>
parent dabca6e5

drivers/soc/qcom/smcinvoke.c

+9 −5
Original line number Diff line number Diff line
@@ -850,8 +850,10 @@ static void process_tzcb_req(void *buf, size_t buf_len, struct file **arr_filp) 


	cb_req = kmemdup(buf, buf_len, GFP_KERNEL);

	if (!cb_req) {

		ret =  OBJECT_ERROR_KMEM;

		goto out;

		/* we need to return error to caller so fill up result */

		cb_req = buf;

		cb_req->result = OBJECT_ERROR_KMEM;

		return;

	}



	/* check whether it is to be served by kernel or userspace */
@@ -909,9 +911,11 @@ static void process_tzcb_req(void *buf, size_t buf_len, struct file **arr_filp) 
			release_tzhandle_locked(cb_req->hdr.tzhandle);

		}

	}

	if (cb_txn) {

		hash_del(&cb_txn->hash);

		memcpy(buf, cb_req, buf_len);

		kref_put(&cb_txn->ref_cnt, delete_cb_txn);

	}

	mutex_unlock(&g_smcinvoke_lock);

}