malhuda/msm-4.14
1
0
Fork 0
mirror of https://github.com/rd-stuffs/msm-4.14.git synced 2025-02-20 11:45:48 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

rpmsg: glink: spi: Fix use after free of channel refcount

Browse Source 
Channel reference count is used after free in case of channel
is not fully opened due to errors and SSR happens.

Remove the channel ID from glink LCID list for last reference to
avoid re-using the stale pointer from LCID list.

Change-Id: If038dd4d09440b925537ef2dab86fc80a07b203c
Signed-off-by: Chris Lew <clew@codeaurora.org>
This commit is contained in:
Chris Lew 2018-07-23 10:29:51 -07:00
parent f961f2e666
commit 6da83f9df5
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/rpmsg/qcom_glink_spi.c
View File

@ -2443,8 +2443,10 @@ static void glink_spi_remove(struct glink_spi *glink)
spin_lock_irqsave(&glink->idr_lock, flags);
/* Release any defunct local channels, waiting for close-ack */
idr_for_each_entry(&glink->lcids, channel, cid)
kref_put(&channel->refcount, glink_spi_channel_release);
idr_for_each_entry(&glink->lcids, channel, cid) {
if (kref_put(&channel->refcount, glink_spi_channel_release))
idr_remove(&glink->lcids, cid);
}
/* Release any defunct local channels, waiting for close-req */
idr_for_each_entry(&glink->lcids, channel, cid)