OrgACRN
/
acrn-kernel
mirror of https://github.com/projectacrn/acrn-kernel.git
1
0
Fork 0
Code Issues Releases Wiki Activity

mailbox: mailbox-test: fix a locking issue in mbox_test_message_write() 

[ Upstream commit 8fe72b76db ]

There was a bug where this code forgot to unlock the tdev->mutex if the
kzalloc() failed.  Fix this issue, by moving the allocation outside the
lock.

Fixes: 2d1e952a2b ("mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Dan Carpenter 2023-05-05 12:22:09 +03:00 committed by Greg Kroah-Hartman
parent 4124000cf4
commit 7d233f9359
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/mailbox/mailbox-test.c
View File

@ -97,6 +97,7 @@ static ssize_t mbox_test_message_write(struct file *filp,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
struct mbox_test_device *tdev = filp->private_data; struct mbox_test_device *tdev = filp->private_data;
char *message;
void *data; void *data;
int ret; int ret;
@ -112,12 +113,13 @@ static ssize_t mbox_test_message_write(struct file *filp,
return -EINVAL; return -EINVAL;
} }
mutex_lock(&tdev->mutex); message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
if (!message)
tdev->message = kzalloc(MBOX_MAX_MSG_LEN, GFP_KERNEL);
if (!tdev->message)
return -ENOMEM; return -ENOMEM;
mutex_lock(&tdev->mutex);
tdev->message = message;
ret = copy_from_user(tdev->message, userbuf, count); ret = copy_from_user(tdev->message, userbuf, count);
if (ret) { if (ret) {
ret = -EFAULT; ret = -EFAULT;