瀏覽代碼

qcedev: ensure sequential req_done on error

req_done is usually scheduled on success scenarios as
it needs to wakeup the sleep thread. However, in the
scenario where sleep has timed out, there is nothing to
wake up, and req_done can be called sequentially instead
of scheduling it (which might cause use after free).

Test: OEMCrypto tests.

Change-Id: I296076fcb43d91d16b00f08819dca45bd9049198
Signed-off-by: Gaurav Kashyap <[email protected]>
Gaurav Kashyap 2 年之前
父節點
當前提交
8f021039d5
共有 1 個文件被更改,包括 4 次插入3 次删除
  1. 4 3
      crypto-qti/qcedev.c

+ 4 - 3
crypto-qti/qcedev.c

@@ -315,8 +315,9 @@ static void req_done(unsigned long data)
 	areq = podev->active_command;
 	podev->active_command = NULL;
 
-	if (areq && !areq->timed_out) {
-		complete(&areq->complete);
+	if (areq) {
+		if (!areq->timed_out)
+			complete(&areq->complete);
 		areq->state = QCEDEV_REQ_DONE;
 	}
 
@@ -812,7 +813,7 @@ static int submit_req(struct qcedev_async_req *qcedev_areq,
 			pr_err("%s: error during manage timeout", __func__);
 
 		spin_unlock_irqrestore(&podev->lock, flags);
-		tasklet_schedule(&podev->done_tasklet);
+		req_done((unsigned long) podev);
 		if (qcedev_areq->offload_cipher_op_req.err !=
 						QCEDEV_OFFLOAD_NO_ERROR)
 			return 0;