From aaf2f73fe59c3a21dab668618311a7e768b101ea Mon Sep 17 00:00:00 2001 From: Richard Gong Date: Fri, 6 Jul 2018 13:10:37 -0500 Subject: [PATCH] FogBugz #574552: misc: intel-service: resolve a possible memory exception S10 service layer has a potential bug at its routine request_svc_channel_byname(), where service layer driver doesn't validate the name passed by service client so there is no guarantee to get an valid pointer. As a result a memory access exception may occur. Signed-off-by: Richard Gong --- v2: s/-ENODEV/-EPROBE_DEFER if svc's probe was called after client, or error on probe s/-EPROBE_DEFER/-EINVAL if there was no channel match v3: resolve the potential KW error --- drivers/misc/intel-service.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/misc/intel-service.c b/drivers/misc/intel-service.c index b2df8ccc9abe7..deb01ee327edd 100644 --- a/drivers/misc/intel-service.c +++ b/drivers/misc/intel-service.c @@ -192,13 +192,13 @@ struct intel_svc_chan *request_svc_channel_byname( { struct device *dev = client->dev; struct intel_svc_controller *controller; - struct intel_svc_chan *chan; + struct intel_svc_chan *chan = NULL; unsigned long flag; int i; - chan = ERR_PTR(-EPROBE_DEFER); + /* if probe was called after client's, or error on probe */ if (list_empty(&svc_ctrl)) - return ERR_PTR(-ENODEV); + return ERR_PTR(-EPROBE_DEFER); controller = list_first_entry(&svc_ctrl, struct intel_svc_controller, node); @@ -209,6 +209,12 @@ struct intel_svc_chan *request_svc_channel_byname( } } + /* if there was no channel match */ + if (i == SVC_NUM_CHANNEL) { + dev_err(dev, "%s: channel not allocated\n", __func__); + return ERR_PTR(-EINVAL); + } + if (chan->scl || !try_module_get(controller->dev->driver->owner)) { dev_dbg(dev, "%s: svc not free\n", __func__); return ERR_PTR(-EBUSY);