Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3f41916c authored by Arun Kumar Neelakantam's avatar Arun Kumar Neelakantam
Browse files

soc: qcom: qmi_interface: use qmi txn_lock to avoid use after free of txn 



In some cases txn is freed before mutex_unlock() API returns and
causing invalid pointer access.

Protect the txn with qmi txn_lock to avoid the invalid pointer access.

CRs-Fixed: 2470638
Change-Id: I05ccde9a77d2913a396c8505bb3199b28fc021c2
Signed-off-by: default avatarArun Kumar Neelakantam <aneela@codeaurora.org>
parent d16a6408

drivers/soc/qcom/qmi_interface.c

+16 −16
Original line number Diff line number Diff line
@@ -508,24 +508,24 @@ static void qmi_handle_message(struct qmi_handle *qmi, 
	if (hdr->type == QMI_RESPONSE) {

		mutex_lock(&qmi->txn_lock);

		txn = idr_find(&qmi->txns, hdr->txn_id);

		if (txn)

			mutex_lock(&txn->lock);

		/* Ignore unexpected responses */

		if (!txn) {

			mutex_unlock(&qmi->txn_lock);

			return;

		}



	if (txn && txn->dest && txn->ei) {

		mutex_lock(&txn->lock);

		if (txn->dest && txn->ei) {

			ret = qmi_decode_message(buf, len, txn->ei, txn->dest);

			if (ret < 0)

				pr_err("failed to decode incoming message\n");



			txn->result = ret;

			complete(&txn->completion);



		mutex_unlock(&txn->lock);

	} else if (txn) {

		} else {

			qmi_invoke_handler(qmi, sq, txn, buf, len);



		}

		mutex_unlock(&txn->lock);

		mutex_unlock(&qmi->txn_lock);

	} else {

		/* Create a txn based on the txn_id of the incoming message */

		memset(&tmp_txn, 0, sizeof(tmp_txn));