Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b5acbec5 authored by Mohit Aggarwal's avatar Mohit Aggarwal
Browse files

diag: Fix possible double free issue 



Currently, on receiving the write completion
notification from USB, there is possibility of
double freeing the buffer. This patch takes care
of this issue.

CRs-Fixed: 967601
Change-Id: I1207e0c3f103fa9dec6d766621aec8ccea62be69
Signed-off-by: default avatarMohit Aggarwal <maggarwa@codeaurora.org>
parent 1fdcf773

drivers/char/diag/diag_usb.c

+5 −2
Original line number Diff line number Diff line 
/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.

/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -323,10 +323,13 @@ static void diag_usb_write_done(struct diag_usb_info *ch, 
	len = entry->len;

	kfree(entry);

	diag_ws_on_copy_complete(DIAG_WS_MUX);

	spin_unlock_irqrestore(&ch->write_lock, flags);



	if (ch->ops && ch->ops->write_done)

		ch->ops->write_done(buf, len, ctxt, DIAG_USB_MODE);

	buf = NULL;

	len = 0;

	ctxt = 0;

	spin_unlock_irqrestore(&ch->write_lock, flags);

	diagmem_free(driver, req, ch->mempool);

}