diff options
| author | Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> | 2021-08-26 17:13:14 -0600 |
|---|---|---|
| committer | Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> | 2021-08-26 17:21:47 -0600 |
| commit | 6b2b96a9b3d514a0462679bf5158942c0da59d83 (patch) | |
| tree | d2ef2f9ba58d4c0ee5ed396b6e24a5d30985daf6 | |
| parent | ef13a42ae2161ea914186c51721ffa6bb3709af7 (diff) | |
| download | datarmnet-6b2b96a9b3d514a0462679bf5158942c0da59d83.tar.gz | |
core: Fix use after free in case of command transmit failure
Fixes the following-
[ 2691.143973]ipa ipa3_rmnet_ctl_xmit:474 rmnet_ctl tx queue full
[ 2691.144001]Failed to send to rmnet ctl
[ 2691.144020]Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
[ 2691.144087]Internal error: Oops: 96000005 [#1] PREEMPT SMP
[ 2691.145120]Workqueue: rmnet_powersave_work qmi_rmnet_check_stats_2.cfi_jt
[rmnet_core]
[ 2691.145147]pc : __skb_ext_put+0x24/0x1c0
[ 2691.145156]lr : skb_release_head_state+0x108/0x1bc
[ 2691.145317]__skb_ext_put+0x24/0x1c0
[ 2691.145324]skb_release_head_state+0x108/0x1bc
[ 2691.145331]kfree_skb+0x7c/0x4d0
[ 2691.145445]rmnet_qmap_send+0x128/0x258 [rmnet_core]
[ 2691.145534]dfc_qmap_set_powersave+0x154/0x2bc [rmnet_core]
[ 2691.145624]qmi_rmnet_check_stats_2+0xb4/0x488 [rmnet_core]
[ 2691.145636]process_one_work+0x248/0x820
[ 2691.145642]worker_thread+0x438/0xbd8
[ 2691.145649]kthread+0x150/0x200
[ 2691.145656]ret_from_fork+0x10/0x30
CRs-Fixed: 3023614
Change-Id: Ibb6063ad41a1b9407b4735dc6cf688038b352088
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
| -rw-r--r-- | core/rmnet_qmap.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/core/rmnet_qmap.c b/core/rmnet_qmap.c index 3c0677a..d838297 100644 --- a/core/rmnet_qmap.c +++ b/core/rmnet_qmap.c @@ -38,7 +38,6 @@ int rmnet_qmap_send(struct sk_buff *skb, u8 ch, bool flush) if (rmnet_ctl->send(rmnet_ctl_handle, skb)) { pr_err("Failed to send to rmnet ctl\n"); - kfree_skb(skb); return -ECOMM; } |