[PATCH 1/7] staging: vchiq_core: fix service dereference in unlock_service
Stefan Wahren
stefan.wahren at i2se.com
Mon Oct 31 07:39:27 PDT 2016
The service state is dereferenced before BUG_ON and outside of the
spin lock. So in order to avoid possible NULL pointer dereferences or
races move the whole scope at a safer place.
This issue has been found by Cppcheck.
Signed-off-by: Stefan Wahren <stefan.wahren at i2se.com>
---
.../vc04_services/interface/vchiq_arm/vchiq_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
index f3e1000..2e0e8ef 100644
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
@@ -296,12 +296,13 @@ static const char *msg_type_str(unsigned int msg_type)
void
unlock_service(VCHIQ_SERVICE_T *service)
{
- VCHIQ_STATE_T *state = service->state;
spin_lock(&service_spinlock);
BUG_ON(!service || (service->ref_count == 0));
if (service && service->ref_count) {
service->ref_count--;
if (!service->ref_count) {
+ VCHIQ_STATE_T *state = service->state;
+
BUG_ON(service->srvstate != VCHIQ_SRVSTATE_FREE);
state->services[service->localport] = NULL;
} else
--
1.7.9.5
More information about the linux-rpi-kernel
mailing list