samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BT-Kernel : use-after-free in BT power driver

Browse Source 
- after freed bt_power_release accessing
 the variables.

Change-Id: I3007c9717d7504e2fc1598d0c848421735372159
Signed-off-by: Girish BN <quic_gbn@quicinc.com>
This commit is contained in:
Girish BN
2024-04-29 16:10:54 +05:30
parent d7ea939c8b
commit 676d10819d
2 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
include/btpower.h
View File

@@ -676,6 +676,7 @@ struct platform_pwr_data {
struct work_struct wq_pwr_voting; struct work_struct wq_pwr_voting;
struct sk_buff_head rxq; struct sk_buff_head rxq;
struct mutex pwr_mtx; struct mutex pwr_mtx;
struct mutex pwr_release;
}; };
int btpower_register_slimdev(struct device *dev); int btpower_register_slimdev(struct device *dev);

12
pwr/btpower.c
View File

@@ -1576,6 +1576,7 @@ static int bt_power_probe(struct platform_device *pdev)
skb_queue_head_init(&pwr_data->rxq); skb_queue_head_init(&pwr_data->rxq);
mutex_init(&pwr_data->pwr_mtx); mutex_init(&pwr_data->pwr_mtx);
mutex_init(&pwr_data->btpower_state.state_machine_lock); mutex_init(&pwr_data->btpower_state.state_machine_lock);
mutex_init(&pwr_data->pwr_release);
pwr_data->btpower_state.power_state = IDLE; pwr_data->btpower_state.power_state = IDLE;
pwr_data->btpower_state.retention_mode = RETENTION_IDLE; pwr_data->btpower_state.retention_mode = RETENTION_IDLE;
pwr_data->btpower_state.grant_state = NO_GRANT_FOR_ANY_SS; pwr_data->btpower_state.grant_state = NO_GRANT_FOR_ANY_SS;
@@ -1621,20 +1622,21 @@ static int bt_power_probe(struct platform_device *pdev)
return 0; return 0;
free_pdata: free_pdata:
mutex_lock(&pwr_data->pwr_release);
kfree(pwr_data); kfree(pwr_data);
mutex_unlock(&pwr_data->pwr_release);
return ret; return ret;
} }
static int bt_power_remove(struct platform_device *pdev) static int bt_power_remove(struct platform_device *pdev)
{ {
mutex_lock(&pwr_data->pwr_release);
dev_dbg(&pdev->dev, "%s\n", __func__); dev_dbg(&pdev->dev, "%s\n", __func__);
probe_finished = false; probe_finished = false;
btpower_rfkill_remove(pdev); btpower_rfkill_remove(pdev);
bt_power_vreg_put(); bt_power_vreg_put();
kfree(pwr_data); kfree(pwr_data);
mutex_unlock(&pwr_data->pwr_release);
return 0; return 0;
} }
@@ -2514,6 +2516,9 @@ static long bt_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
static int bt_power_release(struct inode *inode, struct file *file) static int bt_power_release(struct inode *inode, struct file *file)
{ {
mutex_lock(&pwr_data->pwr_release);
if (!pwr_data || !probe_finished) { if (!pwr_data || !probe_finished) {
pr_err("%s: BTPower Probing Pending.Try Again\n", __func__); pr_err("%s: BTPower Probing Pending.Try Again\n", __func__);
return -EAGAIN; return -EAGAIN;
@@ -2561,6 +2566,7 @@ static int bt_power_release(struct inode *inode, struct file *file)
*/ */
} }
} }
mutex_unlock(&pwr_data->pwr_release);
return 0; return 0;
} }