Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2cd1ae43 authored by Monika Singh's avatar Monika Singh Committed by Gerrit - the friendly Code Review server
Browse files

ARM: dts: msm: Untrusted pointer dereference 



To avoid access of variable after being freed, using
list_first_entry_safe function to iterate over list
of given type, safe against removal of list entry.

Change-Id: I70611fddf3e9b80b1affa3e5235be24eac0d0a58
Signed-off-by: default avatarMonika Singh <monising@codeaurora.org>
parent 80d63754

drivers/misc/qseecom.c

+4 −5
Original line number Diff line number Diff line
@@ -8635,6 +8635,7 @@ exit_unreg_chrdev_region: 
static int qseecom_remove(struct platform_device *pdev)

{

	struct qseecom_registered_kclient_list *kclient = NULL;

	struct qseecom_registered_kclient_list *kclient_tmp = NULL;

	unsigned long flags = 0;

	int ret = 0;

	int i;
@@ -8644,10 +8645,8 @@ static int qseecom_remove(struct platform_device *pdev) 
	atomic_set(&qseecom.qseecom_state, QSEECOM_STATE_NOT_READY);

	spin_lock_irqsave(&qseecom.registered_kclient_list_lock, flags);



	list_for_each_entry(kclient, &qseecom.registered_kclient_list_head,

								list) {

		if (!kclient)

			goto exit_irqrestore;

	list_for_each_entry_safe(kclient, kclient_tmp,

		&qseecom.registered_kclient_list_head, list) {



		/* Break the loop if client handle is NULL */

		if (!kclient->handle)
@@ -8671,7 +8670,7 @@ exit_free_kc_handle: 
	kzfree(kclient->handle);

exit_free_kclient:

	kzfree(kclient);

exit_irqrestore:



	spin_unlock_irqrestore(&qseecom.registered_kclient_list_lock, flags);



	if (qseecom.qseos_version > QSEEE_VERSION_00)