Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2545f4bb authored by Hardik Arya's avatar Hardik Arya Committed by Gerrit - the friendly Code Review server
Browse files

diag: Do not include unallocated buffer to md table 



Currently there is a possibility of copying apps data
buffer to diag_md table after getting freed. The patch
adds buffer to table only when buffer is allocated.

Change-Id: Ie78a74f64cb3c3e3a49077f8ed33b3f2662ea29e
Signed-off-by: default avatarHardik Arya <harya@codeaurora.org>
parent fb50b6d0

drivers/char/diag/diag_memorydevice.c

+17 −3
Original line number Diff line number Diff line
@@ -177,7 +177,7 @@ int diag_md_write(int id, unsigned char *buf, int len, int ctx) 
{

	int i, peripheral, pid = 0;

	uint8_t found = 0;

	unsigned long flags;

	unsigned long flags, flags_sec;

	struct diag_md_info *ch = NULL;

	struct diag_md_session_t *session_info = NULL;
@@ -209,6 +209,16 @@ int diag_md_write(int id, unsigned char *buf, int len, int ctx) 
	}



	spin_lock_irqsave(&ch->lock, flags);

	if (peripheral == APPS_DATA) {

		spin_lock_irqsave(&driver->diagmem_lock, flags_sec);

		if (!hdlc_data.allocated && !non_hdlc_data.allocated) {

			spin_unlock_irqrestore(&driver->diagmem_lock,

				flags_sec);

			spin_unlock_irqrestore(&ch->lock, flags);

			mutex_unlock(&driver->md_session_lock);

			return -EINVAL;

		}

	}

	for (i = 0; i < ch->num_tbl_entries && !found; i++) {

		if (ch->tbl[i].buf != buf)

			continue;
@@ -220,14 +230,16 @@ int diag_md_write(int id, unsigned char *buf, int len, int ctx) 
		ch->tbl[i].len = 0;

		ch->tbl[i].ctx = 0;

	}

	spin_unlock_irqrestore(&ch->lock, flags);



	if (found) {

		if (peripheral == APPS_DATA)

			spin_unlock_irqrestore(&driver->diagmem_lock,

				flags_sec);

		spin_unlock_irqrestore(&ch->lock, flags);

		mutex_unlock(&driver->md_session_lock);

		return -ENOMEM;

	}



	spin_lock_irqsave(&ch->lock, flags);

	for (i = 0; i < ch->num_tbl_entries && !found; i++) {

		if (ch->tbl[i].len == 0) {

			ch->tbl[i].buf = buf;
@@ -237,6 +249,8 @@ int diag_md_write(int id, unsigned char *buf, int len, int ctx) 
			diag_ws_on_read(DIAG_WS_MUX, len);

		}

	}

	if (peripheral == APPS_DATA)

		spin_unlock_irqrestore(&driver->diagmem_lock, flags_sec);

	spin_unlock_irqrestore(&ch->lock, flags);

	mutex_unlock(&driver->md_session_lock);

drivers/char/diag/diagfwd.c

+3 −0
Original line number Diff line number Diff line
@@ -1945,6 +1945,9 @@ static int diagfwd_mux_write_done(unsigned char *buf, int len, int buf_ctxt, 
				DIAG_LOG(DIAG_DEBUG_PERIPHERALS,

				"No apps data buffer is allocated to be freed\n");

			if (temp) {

				DIAG_LOG(DIAG_DEBUG_PERIPHERALS,

				"Freeing Apps data buffer after write done hdlc.allocated: %d, non_hdlc.allocated: %d\n",

				hdlc_data.allocated, non_hdlc_data.allocated);

				diagmem_free(driver, temp->buf, POOL_TYPE_HDLC);

				temp->buf = NULL;

				temp->len = 0;