Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4d1903a8 authored by Satya Durga Srinivasu Prabhala's avatar Satya Durga Srinivasu Prabhala
Browse files

soc: qcom: sysmon-qmi: fix object corruption due to use after free 



While executing multimedia tests which include ADSP SSR testing,
below object corruption observed due to use after free condition.
Add mutex lock to fix the issue.

===============================================
BUG kmalloc-1024 (Tainted: G        W  O   ): \
			Poison overwritten
-----------------------------------------------

INFO: 0xffffffc030db0cb0-0xffffffc030db0cba. \
		First byte 0xff instead of 0x6b
INFO: Allocated in qmi_handle_create+0x4c/0x320 \
			age=14486 cpu=4 pid=32505
	alloc_debug_processing+0x138/0x18c
	___slab_alloc.constprop.61+0x4ec/0x5d0
	__slab_alloc.isra.58.constprop.60+0x48/0x74
	kmem_cache_alloc_trace+0xd4/0x25c
	qmi_handle_create+0x4c/0x320
	sysmon_clnt_svc_arrive+0x34/0xe4
	process_one_work+0x234/0x40c
	worker_thread+0x2e0/0x410
	kthread+0xf4/0xfc
	ret_from_fork+0x10/0x40
INFO: Freed in qmi_handle_destroy+0x154/0x16c \
			age=1159 cpu=4 pid=3784
	free_debug_processing+0x290/0x368
	__slab_free+0x74/0x3ac
	kfree+0x21c/0x290
	qmi_handle_destroy+0x154/0x16c
	sysmon_clnt_svc_exit+0x20/0x30
	process_one_work+0x234/0x40c
	worker_thread+0x2e0/0x410
	kthread+0xf4/0xfc
	ret_from_fork+0x10/0x40

CRs-Fixed: 2009777
Change-Id: If3730f5f972424d49d43d552b7fd1a28e4e0b794
Signed-off-by: default avatarSatya Durga Srinivasu Prabhala <satyap@codeaurora.org>
parent 3bf75ddd

drivers/soc/qcom/sysmon-qmi.c

+7 −1
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.

 * Copyright (c) 2014-2015, 2017, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -153,10 +153,12 @@ static void sysmon_clnt_svc_arrive(struct work_struct *work) 
	struct sysmon_qmi_data *data = container_of(work,

					struct sysmon_qmi_data, svc_arrive);



	mutex_lock(&sysmon_lock);

	/* Create a Local client port for QMI communication */

	data->clnt_handle = qmi_handle_create(sysmon_clnt_notify, work);

	if (!data->clnt_handle) {

		pr_err("QMI client handle alloc failed for %s\n", data->name);

		mutex_unlock(&sysmon_lock);

		return;

	}
@@ -167,6 +169,7 @@ static void sysmon_clnt_svc_arrive(struct work_struct *work) 
								data->name);

		qmi_handle_destroy(data->clnt_handle);

		data->clnt_handle = NULL;

		mutex_unlock(&sysmon_lock);

		return;

	}

	pr_info("Connection established between QMI handle and %s's SSCTL service\n"
@@ -177,6 +180,7 @@ static void sysmon_clnt_svc_arrive(struct work_struct *work) 
	if (rc < 0)

		pr_warn("%s: Could not register the indication callback\n",

								data->name);

	mutex_unlock(&sysmon_lock);

}



static void sysmon_clnt_svc_exit(struct work_struct *work)
@@ -184,8 +188,10 @@ static void sysmon_clnt_svc_exit(struct work_struct *work) 
	struct sysmon_qmi_data *data = container_of(work,

					struct sysmon_qmi_data, svc_exit);



	mutex_lock(&sysmon_lock);

	qmi_handle_destroy(data->clnt_handle);

	data->clnt_handle = NULL;

	mutex_unlock(&sysmon_lock);

}



static void sysmon_clnt_recv_msg(struct work_struct *work)