diag: Rectify possible double free in memory device mode (fdfa87a6) · Commits · e / devices / android_kernel_xiaomi_markw

drivers/char/diag/diag_memorydevice.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -109,11 +109,11 @@ void diag_md_close_all()
		* internal buffers in the table so that there are no stale
		* entries.
		*/
		spin_lock_irqsave(&ch->lock, flags);
		for (j = 0; j < ch->num_tbl_entries; j++) {
		entry = &ch->tbl[j];
		if (entry->len <= 0)
		continue;
		spin_lock_irqsave(&ch->lock, flags);
		if (ch->ops && ch->ops->write_done)
		ch->ops->write_done(entry->buf, entry->len,
		entry->ctx,
		@@ -121,8 +121,8 @@ void diag_md_close_all()
		entry->buf = NULL;
		entry->len = 0;
		entry->ctx = 0;
		spin_unlock_irqrestore(&ch->lock, flags);
		}
		spin_unlock_irqrestore(&ch->lock, flags);
		}

		diag_ws_reset(DIAG_WS_MUX);
		@@ -329,6 +329,9 @@ int diag_md_close_peripheral(int id, uint8_t peripheral)
		ch->ops->write_done(entry->buf, entry->len,
		entry->ctx,
		DIAG_MEMORY_DEVICE_MODE);
		entry->buf = NULL;
		entry->len = 0;
		entry->ctx = 0;
		}
		}
		spin_unlock_irqrestore(&ch->lock, flags);

+1 −0

Original line number	Diff line number	Diff line
		@@ -1491,6 +1491,7 @@ static int diagfwd_mux_write_done(unsigned char *buf, int len, int buf_ctxt,
		} else if (peripheral == APPS_DATA) {
		diagmem_free(driver, (unsigned char *)buf,
		POOL_TYPE_HDLC);
		buf = NULL;
		} else {
		pr_err_ratelimited("diag: Invalid peripheral %d in %s, type: %d\n",
		peripheral, __func__, type);