DivestOS/Patches/Linux_CVEs/CVE-2016-8450/ANY/0001.patch
2017-11-07 17:32:46 -05:00

87 lines
2.8 KiB
Diff

From e909d159ad1998ada853ed35be27c7b6ba241bdb Mon Sep 17 00:00:00 2001
From: Walter Yang <yandongy@codeaurora.org>
Date: Wed, 27 Jul 2016 15:07:53 +0800
Subject: ASoC: msm: set pointers to NULL after kfree
In lsm-related driver files, some pointers are not set as NULL
after the memory is freed, which will leave many dangling pointers.
Set them to NULL explicitly to avoid potential risk.
CRs-Fixed: 880388
Change-Id: I44925240705608510266a51225cc02611637c571
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
---
sound/soc/msm/msm-cpe-lsm.c | 7 +++++++
sound/soc/msm/qdsp6v2/msm-dai-slim.c | 2 ++
sound/soc/msm/qdsp6v2/q6lsm.c | 1 +
3 files changed, 10 insertions(+)
diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
index 9f957e5..a529fcc 100644
--- a/sound/soc/msm/msm-cpe-lsm.c
+++ b/sound/soc/msm/msm-cpe-lsm.c
@@ -1219,6 +1219,7 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
dev_err(rtd->dev, "%s: No memory for sound model\n",
__func__);
kfree(session->conf_levels);
+ session->conf_levels = NULL;
return -ENOMEM;
}
session->snd_model_size = snd_model.data_size;
@@ -1230,6 +1231,8 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
__func__);
kfree(session->conf_levels);
kfree(session->snd_model_data);
+ session->conf_levels = NULL;
+ session->snd_model_data = NULL;
return -EFAULT;
}
@@ -1241,6 +1244,8 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
__func__, rc);
kfree(session->snd_model_data);
kfree(session->conf_levels);
+ session->snd_model_data = NULL;
+ session->conf_levels = NULL;
return rc;
}
@@ -1254,6 +1259,8 @@ static int msm_cpe_lsm_ioctl_shared(struct snd_pcm_substream *substream,
lsm_ops->lsm_shmem_dealloc(cpe->core_handle, session);
kfree(session->snd_model_data);
kfree(session->conf_levels);
+ session->snd_model_data = NULL;
+ session->conf_levels = NULL;
return rc;
}
diff --git a/sound/soc/msm/qdsp6v2/msm-dai-slim.c b/sound/soc/msm/qdsp6v2/msm-dai-slim.c
index b46d0a5..4bb8f59 100644
--- a/sound/soc/msm/qdsp6v2/msm-dai-slim.c
+++ b/sound/soc/msm/qdsp6v2/msm-dai-slim.c
@@ -482,7 +482,9 @@ static void msm_dai_slim_remove_dai_data(
dai_data_t = &drv_data->slim_dai_data[i];
kfree(dai_data_t->chan_h);
+ dai_data_t->chan_h = NULL;
kfree(dai_data_t->sh_ch);
+ dai_data_t->sh_ch = NULL;
}
}
diff --git a/sound/soc/msm/qdsp6v2/q6lsm.c b/sound/soc/msm/qdsp6v2/q6lsm.c
index ec73472..2bf0c49 100644
--- a/sound/soc/msm/qdsp6v2/q6lsm.c
+++ b/sound/soc/msm/qdsp6v2/q6lsm.c
@@ -348,6 +348,7 @@ void q6lsm_client_free(struct lsm_client *client)
q6lsm_mmap_apr_dereg();
mutex_destroy(&client->cmd_lock);
kfree(client);
+ client = NULL;
}
/*
--
cgit v1.1