Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a319b09b authored by Sean Tranchetti's avatar Sean Tranchetti Committed by Subash Abhinov Kasiviswanathan
Browse files

soc: qcom: Fix module cleanup error in dfc 



A use after free was observed from qmi_data_ready.
This is due to dfc client freeing the qmi handle before it completes
cleanup. We cannot free the client data in the qmi callback function.
Fix this by making qmi_handle_release return and then free the qmi
handle as it will not be accessed after it.

CRs-Fixed: 2272269
Change-Id: Ice9858fe8b08635c074dd314a1e3eeda9eb31de3
Acked-by: default avatarNing Cai <ncai@qti.qualcomm.com>
Signed-off-by: default avatarSean Tranchetti <stranche@codeaurora.org>
parent b9c29f3b

drivers/soc/qcom/dfc_qmi.c

+10 −17
Original line number Diff line number Diff line
@@ -732,20 +732,9 @@ static void dfc_svc_exit(struct qmi_handle *qmi, struct qmi_service *svc) 
{

	struct dfc_qmi_data *data = container_of(qmi, struct dfc_qmi_data,

						 handle);

	struct qmi_info *qmi_pt;

	int client;



	trace_dfc_client_state_down(data->index, 1);

	qmi_pt = (struct qmi_info *)rmnet_get_qmi_pt(data->rmnet_port);

	if (qmi_pt) {

		for (client = 0; client < MAX_CLIENT_NUM; client++) {

			if (qmi_pt->fc_info[client].dfc_client == (void *)data)

				qmi_pt->fc_info[client].dfc_client = NULL;

			break;

		}

	}

	destroy_workqueue(data->dfc_wq);

	kfree(data);

	if (!data)

		pr_debug("%s() data is null\n", __func__);

}



static struct qmi_ops server_ops = {
@@ -814,10 +803,14 @@ void dfc_qmi_client_exit(void *dfc_data) 
{

	struct dfc_qmi_data *data = (struct dfc_qmi_data *)dfc_data;



	/* Skip this call for now due to error in qmi layer

	 * qmi_handle_release(&data->handle);

	 */

	if (!data) {

		pr_err("%s() data is null\n", __func__);

		return;

	}



	trace_dfc_client_state_down(data->index, 0);

	qmi_handle_release(&data->handle);



	drain_workqueue(data->dfc_wq);

	destroy_workqueue(data->dfc_wq);

	kfree(data);