samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: fix a double-free in ipa uc ready callback

Browse Source 
hdd_ipa_uc_loaded_uc_cb() allocates a msg buffer and passes it to
workqueue handler. Both hdd_ipa_uc_loaded_uc_cb() and workqueue
handler free the msg buffer, which leads to wrong memory dereference.

Fix is to return directly in hdd_ipa_uc_loaded_uc_cb() and let workqueue
handler free the msg buffer.

Change-Id: I842700e7fe94dc9a77fba966d918a054bc79f36a
CRs-Fixed: 2069189
This commit is contained in:
jiad
2017-08-01 14:46:02 +08:00
committed by snandini
parent 48c4709f8d
commit d91a6840f6
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
core/hdd/src/wlan_hdd_ipa.c
View File

@@ -699,6 +699,9 @@ static void hdd_ipa_uc_loaded_uc_cb(void *priv_ctxt)
uc_op_work->msg = msg; uc_op_work->msg = msg;
schedule_work(&uc_op_work->work); schedule_work(&uc_op_work->work);
/* work handler will free the msg buffer */
return;
done: done:
qdf_mem_free(msg); qdf_mem_free(msg);
} }
@@ -2348,6 +2351,7 @@ static void hdd_ipa_uc_op_cb(struct op_msg_type *op_msg, void *usr_ctxt)
if (HDD_IPA_UC_OPCODE_MAX <= msg->op_code) { if (HDD_IPA_UC_OPCODE_MAX <= msg->op_code) {
HDD_IPA_LOG(QDF_TRACE_LEVEL_ERROR, HDD_IPA_LOG(QDF_TRACE_LEVEL_ERROR,
"%s, INVALID OPCODE %d", __func__, msg->op_code); "%s, INVALID OPCODE %d", __func__, msg->op_code);
qdf_mem_free(op_msg);
return; return;
} }