Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5564dc86 authored by qctecmdr's avatar qctecmdr Committed by Gerrit - the friendly Code Review server
Browse files

Merge "smcinvoke: Handle NULL dereference for cb_req"

parents f277dcf9 1c680479

drivers/soc/qcom/smcinvoke.c

+9 −5
Original line number Original line Diff line number Diff line
@@ -850,8 +850,10 @@ static void process_tzcb_req(void *buf, size_t buf_len, struct file **arr_filp) 




	cb_req = kmemdup(buf, buf_len, GFP_KERNEL);

	cb_req = kmemdup(buf, buf_len, GFP_KERNEL);

	if (!cb_req) {

	if (!cb_req) {

		ret =  OBJECT_ERROR_KMEM;

		/* we need to return error to caller so fill up result */

		goto out;

		cb_req = buf;

		cb_req->result = OBJECT_ERROR_KMEM;

		return;

	}

	}





	/* check whether it is to be served by kernel or userspace */

	/* check whether it is to be served by kernel or userspace */
@@ -909,9 +911,11 @@ static void process_tzcb_req(void *buf, size_t buf_len, struct file **arr_filp) 
			release_tzhandle_locked(cb_req->hdr.tzhandle);

			release_tzhandle_locked(cb_req->hdr.tzhandle);

		}

		}

	}

	}

	if (cb_txn) {

		hash_del(&cb_txn->hash);

		hash_del(&cb_txn->hash);

		memcpy(buf, cb_req, buf_len);

		memcpy(buf, cb_req, buf_len);

		kref_put(&cb_txn->ref_cnt, delete_cb_txn);

		kref_put(&cb_txn->ref_cnt, delete_cb_txn);

	}

	mutex_unlock(&g_smcinvoke_lock);

	mutex_unlock(&g_smcinvoke_lock);

}

}