msm: bam_dmux: fix accessing memory after free
Fixes accessing rx_hdr which points to SKB after
SKB has been freed.
Change-Id: I60a012b6154f2cb2ba20fb47c82c8bee20235614
CRs-Fixed: 316420
Signed-off-by: Eric Holmberg <eholmber@codeaurora.org>
diff --git a/arch/arm/mach-msm/bam_dmux.c b/arch/arm/mach-msm/bam_dmux.c
index 317248e..d1c788b 100644
--- a/arch/arm/mach-msm/bam_dmux.c
+++ b/arch/arm/mach-msm/bam_dmux.c
@@ -301,25 +301,25 @@
spin_lock_irqsave(&bam_ch[rx_hdr->ch_id].lock, flags);
bam_ch[rx_hdr->ch_id].status |= BAM_CH_REMOTE_OPEN;
spin_unlock_irqrestore(&bam_ch[rx_hdr->ch_id].lock, flags);
- dev_kfree_skb_any(rx_skb);
queue_rx();
ret = platform_device_add(bam_ch[rx_hdr->ch_id].pdev);
if (ret)
pr_err("%s: platform_device_add() error: %d\n",
__func__, ret);
+ dev_kfree_skb_any(rx_skb);
break;
case BAM_MUX_HDR_CMD_CLOSE:
/* probably should drop pending write */
spin_lock_irqsave(&bam_ch[rx_hdr->ch_id].lock, flags);
bam_ch[rx_hdr->ch_id].status &= ~BAM_CH_REMOTE_OPEN;
spin_unlock_irqrestore(&bam_ch[rx_hdr->ch_id].lock, flags);
- dev_kfree_skb_any(rx_skb);
queue_rx();
platform_device_unregister(bam_ch[rx_hdr->ch_id].pdev);
bam_ch[rx_hdr->ch_id].pdev =
platform_device_alloc(bam_ch[rx_hdr->ch_id].name, 2);
if (!bam_ch[rx_hdr->ch_id].pdev)
pr_err("%s: platform_device_alloc failed\n", __func__);
+ dev_kfree_skb_any(rx_skb);
break;
default:
pr_err("%s: dropping invalid hdr. magic %x reserved %d cmd %d"