commit ade2ca2cbaf1452600d4b070e93004c007a4bb98
author Tomasz Figa <tfiga@chromium.org> Wed Aug 01 13:06:36 2018 +0900
committer Tim Detwiler <tjdetwiler@google.com> Tue Oct 09 16:37:03 2018 -0700
tree 0ae6185bc3420a78098478572165e9f198b8ba70
parent d05a25fcbf9f9c1a1e90802814ed35dd16010fc3

CHROMIUM: virtio/wl: Always update *vfd_count on recv, if given

In vfd->hang case, current code would leave *vfd_count unchanged (=
output array size), while it would still return successfully. The caller
would then mistakenly assume that all the vfd pointers in the array are
valid and trigger a NULL pointer dereference.

BUG=none
TEST=Remote disconnect doesn't crash the kernel

Change-Id: I0837704ca2bbf5a94324f4b6f794a192857c6da3
Signed-off-by: Tomasz Figa <tfiga@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1158108

drivers/virtio/virtio_wl.c

diff --git a/drivers/virtio/virtio_wl.c b/drivers/virtio/virtio_wl.c
index 2e09c4b..ac8aff1 100644
--- a/drivers/virtio/virtio_wl.c
+++ b/drivers/virtio/virtio_wl.c
@@ -676,12 +676,11 @@
 			force_to_wait = true;
 	}
 
-	if (vfd_count)
-		*vfd_count = vfd_read_count;
-
 out_unlock:
 	mutex_unlock(&vfd->lock);
 	mutex_unlock(&vi->vfds_lock);
+	if (vfd_count)
+		*vfd_count = vfd_read_count;
 	return read_count;
 }