soc: qcom: ipc_router_smd_xprt: Set pointer to NULL after free

in_pkt pointer is holding dangling pointer address even after calling
release_pkt() which causing use-after-free.

Set the in_pkt pointer to NULL after free.

CRs-Fixed: 2210859
Change-Id: If5e01c0109c947e52f3ff269c9b2b50ac0dc2bdf
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>

diff --git a/drivers/soc/qcom/ipc_router_smd_xprt.c b/drivers/soc/qcom/ipc_router_smd_xprt.c
index a94e815..6e17f0b 100644 (file)
--- a/drivers/soc/qcom/ipc_router_smd_xprt.c
+++ b/drivers/soc/qcom/ipc_router_smd_xprt.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2015, 2018, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -294,8 +294,10 @@ static void smd_xprt_read_data(struct work_struct *work)
        spin_lock_irqsave(&smd_xprtp->ss_reset_lock, flags);
        if (smd_xprtp->ss_reset) {
                spin_unlock_irqrestore(&smd_xprtp->ss_reset_lock, flags);
-               if (smd_xprtp->in_pkt)
+               if (smd_xprtp->in_pkt) {
                        release_pkt(smd_xprtp->in_pkt);
+                       smd_xprtp->in_pkt = NULL;
+               }
                smd_xprtp->is_partial_in_pkt = 0;
                IPC_RTR_ERR("%s: %s channel reset\n",
                        __func__, smd_xprtp->xprt.name);
@@ -348,6 +350,7 @@ static void smd_xprt_read_data(struct work_struct *work)
                                __func__, smd_xprtp->xprt.name);
                        kfree_skb(ipc_rtr_pkt);
                        release_pkt(smd_xprtp->in_pkt);
+                       smd_xprtp->in_pkt = NULL;
                        smd_xprtp->is_partial_in_pkt = 0;
                        return;
                }