From: Satya Durga Srinivasu Prabhala Date: Mon, 16 Jan 2017 18:37:08 +0000 (-0800) Subject: soc: qcom: service-notifier: fix object corruption X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=06a774048fd602e73279af771040608f32e0bdab;p=sagit-ice-cold%2Fkernel_xiaomi_msm8998.git soc: qcom: service-notifier: fix object corruption Below object corruption observed from service-notifier while executing WLAN PDR tests. While executing WLAN PDR tests, Modem crashed, which resulted into use after free condition. Add mutex lock to fix the issue. =============================================== BUG kmalloc-1024 (Tainted: G W O ): \ Poison overwritten ----------------------------------------------- INFO: 0xffffffc0ba5c4d30-0xffffffc0ba5c4d3a. \ First byte 0xff instead of 0x6b INFO: Allocated in qmi_handle_create+0x4c/0x320 \ age=80203 cpu=0 pid=27134 alloc_debug_processing+0x124/0x178 ___slab_alloc.constprop.62+0x4ec/0x5d0 __slab_alloc.isra.59.constprop.61+0x48/0x74 kmem_cache_alloc_trace+0xd4/0x25c qmi_handle_create+0x4c/0x320 root_service_service_arrive+0x3c/0x1e8 process_one_work+0x234/0x40c worker_thread+0x2e0/0x410 kthread+0xf4/0xfc ret_from_fork+0x10/0x40 INFO: Freed in qmi_handle_destroy+0x154/0x16c \ age=50 cpu=1 pid=22765 free_debug_processing+0x27c/0x354 __slab_free+0x74/0x3ac kfree+0x21c/0x290 qmi_handle_destroy+0x154/0x16c root_service_service_exit+0xf0/0x110 ssr_event_notify+0x74/0x84 notifier_call_chain+0x58/0x8c __srcu_notifier_call_chain+0x9c/0xc0 srcu_notifier_call_chain+0x38/0x44 subsys_notif_queue_notification+0x40/0x54 notify_each_subsys_device.isra.9+0x18c/0x1b0 subsystem_restart_wq_func+0x2f4/0x5a8 process_one_work+0x234/0x40c worker_thread+0x2e0/0x410 kthread+0xf4/0xfc ret_from_fork+0x10/0x40 Change-Id: Iebc0871220547c2d6f026db1dffafe30b854b199 Signed-off-by: Satya Durga Srinivasu Prabhala --- diff --git a/drivers/soc/qcom/service-notifier.c b/drivers/soc/qcom/service-notifier.c index 84a2aeee8cf7..e7307c46a895 100644 --- a/drivers/soc/qcom/service-notifier.c +++ b/drivers/soc/qcom/service-notifier.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2016, The Linux Foundation. All rights reserved. + * Copyright (c) 2015-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -336,11 +336,13 @@ static void root_service_service_arrive(struct work_struct *work) int rc; int curr_state; + mutex_lock(&qmi_client_release_lock); /* Create a Local client port for QMI communication */ data->clnt_handle = qmi_handle_create(root_service_clnt_notify, work); if (!data->clnt_handle) { pr_err("QMI client handle alloc failed (instance-id: %d)\n", data->instance_id); + mutex_unlock(&qmi_client_release_lock); return; } @@ -353,9 +355,11 @@ static void root_service_service_arrive(struct work_struct *work) data->instance_id, rc); qmi_handle_destroy(data->clnt_handle); data->clnt_handle = NULL; + mutex_unlock(&qmi_client_release_lock); return; } data->service_connected = true; + mutex_unlock(&qmi_client_release_lock); pr_info("Connection established between QMI handle and %d service\n", data->instance_id); /* Register for indication messages about service */