Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5fd02fe3 authored by Anmolpreet Kaur's avatar Anmolpreet Kaur
Browse files

smcinvoke: Handle NULL dereference for cb_req 



When kernel fails to allocate memory for cb_req,
cb_req remains NULL. Going to out label is not required
since cb_txn till this point is also NULL.

Change-Id: I4f5d5bc9310a726878f306c8b65b131b4ca1e2f1
Signed-off-by: default avatarAnmolpreet Kaur <anmolpre@codeaurora.org>
parent 35fd0366

drivers/soc/qcom/smcinvoke.c

+9 −5
Original line number Diff line number Diff line
@@ -847,8 +847,10 @@ static void process_tzcb_req(void *buf, size_t buf_len, struct file **arr_filp) 


	cb_req = kzalloc(buf_len, GFP_KERNEL);

	if (!cb_req) {

		ret =  OBJECT_ERROR_KMEM;

		goto out;

		/* we need to return error to caller so fill up result */

		cb_req = buf;

		cb_req->result = OBJECT_ERROR_KMEM;

		return;

	}

	memcpy(cb_req, buf, buf_len);
@@ -907,9 +909,11 @@ static void process_tzcb_req(void *buf, size_t buf_len, struct file **arr_filp) 
			release_tzhandle_locked(cb_req->hdr.tzhandle);

		}

	}

	if (cb_txn) {

		hash_del(&cb_txn->hash);

		memcpy(buf, cb_req, buf_len);

		kref_put(&cb_txn->ref_cnt, delete_cb_txn);

	}

	mutex_unlock(&g_smcinvoke_lock);

}