Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / qcacld-3.0 / c3a74ba0154e2108a4f4115a875b0e21a397e681^! / . / core / hdd / src / wlan_hdd_memdump.c
commitc3a74ba0154e2108a4f4115a875b0e21a397e681[log] [tgz]
authorSaidiReddy Yenuga <saidir@codeaurora.org>Wed Mar 08 16:17:55 2017 +0530
committerSandeep Puligilla <spuligil@codeaurora.org>Fri Mar 31 23:57:30 2017 -0700
tree55d2320c68fb556d2f15728c611f33e73921c9eb
parent0a5bc614f977af2cf954cdc16545118b40192f54 [diff] [blame]
qcacld-3.0: Acquire lock to protect hdd_ctx in hdd_driver_memdump_read()

qcacld-2.0 to qcacld-3.0 propagation.

Two threads accessing the procfs entry might end up in race condition and
lead to use-after-free for hdd_ctx->driver_dump_mem.

Hence, acquire a lock to protect hdd_ctx.

Change-Id: If871f4ceadf650978e16b4a336f688a0dae1c494
CRs-Fixed: 2005832

diff --git a/core/hdd/src/wlan_hdd_memdump.c b/core/hdd/src/wlan_hdd_memdump.c
index 9980d91..a64f806 100644
--- a/core/hdd/src/wlan_hdd_memdump.c
+++ b/core/hdd/src/wlan_hdd_memdump.c

@@ -691,11 +691,14 @@
 	if (status != 0)
 		return -EINVAL;
 
+	mutex_lock(&hdd_ctx->memdump_lock);
 	if (*pos < 0) {
 		hdd_err("Invalid start offset for memdump read");
+		mutex_unlock(&hdd_ctx->memdump_lock);
 		return -EINVAL;
 	} else if (!count || (hdd_ctx->driver_dump_size &&
 				(*pos >= hdd_ctx->driver_dump_size))) {
+		mutex_unlock(&hdd_ctx->memdump_lock);
 		hdd_err("No more data to copy");
 		return 0;
 	} else if ((*pos == 0) || (hdd_ctx->driver_dump_mem == NULL)) {
@@ -707,6 +710,7 @@
 				qdf_mem_malloc(DRIVER_MEM_DUMP_SIZE);
 			if (!hdd_ctx->driver_dump_mem) {
 				hdd_err("qdf_mem_malloc failed");
+				mutex_unlock(&hdd_ctx->memdump_lock);
 				return -ENOMEM;
 			}
 		}
@@ -735,6 +739,7 @@
 	if (copy_to_user(buf, hdd_ctx->driver_dump_mem + *pos,
 					no_of_bytes_read)) {
 		hdd_err("copy to user space failed");
+		mutex_unlock(&hdd_ctx->memdump_lock);
 		return -EFAULT;
 	}
 
@@ -745,6 +750,8 @@
 	if (*pos >= hdd_ctx->driver_dump_size)
 		hdd_driver_mem_cleanup();
 
+	mutex_unlock(&hdd_ctx->memdump_lock);
+
 	return no_of_bytes_read;
 }