commit e711b1604c9cb2a6f2e4e7e8f896621596290c8b
author Monika Singh <monising@codeaurora.org> Tue Apr 24 09:54:50 2018 +0530
committer Gerrit - the friendly Code Review server <code-review@localhost> Fri Jun 22 02:08:39 2018 -0700
tree 2e7ac59b1185af0551996d78c2cf53a725fcdbab
parent 9cba6936473c25b39691a8cedcd83a7459dab788

ARM: dts: msm: Untrusted pointer dereference

To avoid access of variable after being freed, using
list_first_entry_safe function to iterate over list
of given type,safe against removal of list entry.

Change-Id: I70611fddf3e9b80b1affa3e5235be24eac0d0a58
Signed-off-by: Monika Singh <monising@codeaurora.org>

drivers/misc/qseecom.c

diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
index 07fb743..07ae56f 100644
--- a/drivers/misc/qseecom.c
+++ b/drivers/misc/qseecom.c
@@ -8778,6 +8778,7 @@
 static int qseecom_remove(struct platform_device *pdev)
 {
 	struct qseecom_registered_kclient_list *kclient = NULL;
+	struct qseecom_registered_kclient_list *kclient_tmp = NULL;
 	unsigned long flags = 0;
 	int ret = 0;
 	int i;
@@ -8787,10 +8788,8 @@
 	atomic_set(&qseecom.qseecom_state, QSEECOM_STATE_NOT_READY);
 	spin_lock_irqsave(&qseecom.registered_kclient_list_lock, flags);
 
-	list_for_each_entry(kclient, &qseecom.registered_kclient_list_head,
-								list) {
-		if (!kclient)
-			goto exit_irqrestore;
+	list_for_each_entry_safe(kclient, kclient_tmp,
+		&qseecom.registered_kclient_list_head, list) {
 
 		/* Break the loop if client handle is NULL */
 		if (!kclient->handle)
@@ -8814,7 +8813,7 @@
 	kzfree(kclient->handle);
 exit_free_kclient:
 	kzfree(kclient);
-exit_irqrestore:
+
 	spin_unlock_irqrestore(&qseecom.registered_kclient_list_lock, flags);
 
 	if (qseecom.qseos_version > QSEEE_VERSION_00)