qcacld-3.0: Acquire lock to protect hdd_ctx in hdd_driver_memdump_read()
qcacld-2.0 to qcacld-3.0 propagation.
Two threads accessing the procfs entry might end up in race condition and
lead to use-after-free for hdd_ctx->driver_dump_mem.
Hence, acquire a lock to protect hdd_ctx.
Change-Id: If871f4ceadf650978e16b4a336f688a0dae1c494
CRs-Fixed: 2005832
diff --git a/core/hdd/src/wlan_hdd_memdump.c b/core/hdd/src/wlan_hdd_memdump.c
index 9980d91..a64f806 100644
--- a/core/hdd/src/wlan_hdd_memdump.c
+++ b/core/hdd/src/wlan_hdd_memdump.c
@@ -691,11 +691,14 @@
if (status != 0)
return -EINVAL;
+ mutex_lock(&hdd_ctx->memdump_lock);
if (*pos < 0) {
hdd_err("Invalid start offset for memdump read");
+ mutex_unlock(&hdd_ctx->memdump_lock);
return -EINVAL;
} else if (!count || (hdd_ctx->driver_dump_size &&
(*pos >= hdd_ctx->driver_dump_size))) {
+ mutex_unlock(&hdd_ctx->memdump_lock);
hdd_err("No more data to copy");
return 0;
} else if ((*pos == 0) || (hdd_ctx->driver_dump_mem == NULL)) {
@@ -707,6 +710,7 @@
qdf_mem_malloc(DRIVER_MEM_DUMP_SIZE);
if (!hdd_ctx->driver_dump_mem) {
hdd_err("qdf_mem_malloc failed");
+ mutex_unlock(&hdd_ctx->memdump_lock);
return -ENOMEM;
}
}
@@ -735,6 +739,7 @@
if (copy_to_user(buf, hdd_ctx->driver_dump_mem + *pos,
no_of_bytes_read)) {
hdd_err("copy to user space failed");
+ mutex_unlock(&hdd_ctx->memdump_lock);
return -EFAULT;
}
@@ -745,6 +750,8 @@
if (*pos >= hdd_ctx->driver_dump_size)
hdd_driver_mem_cleanup();
+ mutex_unlock(&hdd_ctx->memdump_lock);
+
return no_of_bytes_read;
}