security: tlk_driver: fix te_open_session
Scott Long [Wed, 27 May 2015 16:44:46 +0000 (09:44 -0700)]
If do_smc() fails in te_open_session() we free
the session pointer but then reference it after
that point when freeing temp mem buffers which
can lead to a crash.

Bug 200108299

Change-Id: I2360e389182ffeb5d3cc9944f4edcd2da7c1643b
Signed-off-by: Scott Long <scottl@nvidia.com>
Reviewed-on: http://git-master/r/747819
(cherry picked from commit db190003e70da2b25d0ae78ec5c7ed61c729f9a9)
Reviewed-on: http://git-master/r/748567
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Hyung Taek Ryoo <hryoo@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>

security/tlk_driver/ote_comms.c

index 5bf22a6..de59bf1 100644 (file)
@@ -504,19 +504,23 @@ void te_open_session(struct te_opensession *cmd,
        do_smc(request, context->dev);
 
        if (request->result) {
-               /* release any persistent mem buffers if we failed */
+               /* release all mem buffers if we failed */
                te_release_mem_buffers(&session->inactive_persist_shmem_list);
+               te_release_mem_buffers(&session->temp_shmem_list);
 
                kfree(session);
-       } else {
-               /* otherwise mark active any persistent mem buffers */
-               te_activate_persist_mem_buffers(session);
 
-               /* save off session_id and add to list */
-               session->session_id = request->session_id;
-               list_add_tail(&session->list, &context->session_list);
+               return;
        }
 
+       /* mark active any persistent mem buffers */
+       te_activate_persist_mem_buffers(session);
+
+       /* save off session_id and add to list */
+       session->session_id = request->session_id;
+       list_add_tail(&session->list, &context->session_list);
+
+       /* release temporary mem buffers */
        te_release_mem_buffers(&session->temp_shmem_list);
 }