Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6f1987e5 authored by Hardik Arya's avatar Hardik Arya Committed by Gerrit - the friendly Code Review server
Browse files

diag: Add protection while accessing usb_info's buffer table 



Currently there a possibility of NULL pointer dereference while
accessing usb_info's buffer table due to missing proper protection.
The patch adds protection for the same.

Change-Id: I974a70a48e7ac47b42bc237aac4db1b9e47be6be
Signed-off-by: default avatarHardik Arya <harya@codeaurora.org>
parent 0bc8b592

drivers/char/diag/diag_usb.c

+3 −1
Original line number Diff line number Diff line
@@ -308,23 +308,25 @@ static void diag_usb_write_done(struct diag_usb_info *ch, 
	if (!ch || !req)

		return;



	spin_lock_irqsave(&ch->write_lock, flags);

	ch->write_cnt++;

	entry = diag_usb_buf_tbl_get(ch, req->context);

	if (!entry) {

		pr_err_ratelimited("diag: In %s, unable to find entry %pK in the table\n",

				   __func__, req->context);

		spin_unlock_irqrestore(&ch->write_lock, flags);

		return;

	}

	if (atomic_read(&entry->ref_count) != 0) {

		DIAG_LOG(DIAG_DEBUG_MUX, "partial write_done ref %d\n",

			 atomic_read(&entry->ref_count));

		diag_ws_on_copy_complete(DIAG_WS_MUX);

		spin_unlock_irqrestore(&ch->write_lock, flags);

		diagmem_free(driver, req, ch->mempool);

		return;

	}

	DIAG_LOG(DIAG_DEBUG_MUX, "full write_done, ctxt: %d\n",

		 ctxt);

	spin_lock_irqsave(&ch->write_lock, flags);

	list_del(&entry->track);

	ctxt = entry->ctxt;

	buf = entry->buf;