TechPanelGM/kernel_xiaomi_sm8250
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

UPSTREAM: mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()

Browse Source 
[ Upstream commit 8fe72b76db79d694858e872370df49676bc3be8c ]

There was a bug where this code forgot to unlock the tdev->mutex if the
kzalloc() failed.  Fix this issue, by moving the allocation outside the
lock.

Bug: 275340532
Fixes: 2d1e952a2b8e ("mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 7d233f93594f0d9afe44e9409131a8d6ad4f593c)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I7a4a1bf06abbb2092aceb72610e3f894b2bfbf0f
This commit is contained in:
Dan Carpenter
2023-05-05 12:22:09 +03:00
committed by Lee Jones
parent ed914c7bb3
commit 0f427f0f02
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/mailbox/mailbox-test.c
View File

@@ -101,6 +101,7 @@ static ssize_t mbox_test_message_write(struct file *filp,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
struct mbox_test_device *tdev = filp->private_data; struct mbox_test_device *tdev = filp->private_data;
char *message;
void *data; void *data;
int ret; int ret;
@@ -116,12 +117,13 @@ static ssize_t mbox_test_message_write(struct file *filp,
return -EINVAL; return -EINVAL;
} }
mutex_lock(&tdev->mutex); message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
if (!message)
tdev->message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
if (!tdev->message)
return -ENOMEM; return -ENOMEM;
mutex_lock(&tdev->mutex);
tdev->message = message;
ret = copy_from_user(tdev->message, userbuf, count); ret = copy_from_user(tdev->message, userbuf, count);
if (ret) { if (ret) {
ret = -EFAULT; ret = -EFAULT;