From 5697436b51d1732292155da19a7e349060c52795 Mon Sep 17 00:00:00 2001 From: Mohammed Javid <mjavid@codeaurora.org> Date: Mon, 7 Aug 2017 16:05:27 +0530 Subject: [PATCH] msm: ipa: Fix to use after free issue Added to code changes to ref_cnt variable will decrement only when add_ref_hdr variable is true. Change-Id: I0bcc3909669f4843c43135e5f047ac28fa62bb63 Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com> Signed-off-by: Mohammed Javid <mjavid@codeaurora.org> --- drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c | 3 ++- drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c index 01e761429108..40cfac2e6d37 100644 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c @@ -581,7 +581,8 @@ ipa_insert_failed: htbl->proc_ctx_cnt--; bad_len: - hdr_entry->ref_cnt--; + if (add_ref_hdr) + hdr_entry->ref_cnt--; entry->cookie = 0; kmem_cache_free(ipa_ctx->hdr_proc_ctx_cache, entry); return -EPERM; diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c index 4bb0d9c7e663..46288ac2cb8c 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c @@ -462,7 +462,8 @@ ipa_insert_failed: htbl->proc_ctx_cnt--; bad_len: - hdr_entry->ref_cnt--; + if (add_ref_hdr) + hdr_entry->ref_cnt--; entry->cookie = 0; kmem_cache_free(ipa3_ctx->hdr_proc_ctx_cache, entry); return -EPERM; -- GitLab