CHROMIUM: virtio/wl: Always update *vfd_count on recv, if given
In vfd->hang case, current code would leave *vfd_count unchanged (=
output array size), while it would still return successfully. The caller
would then mistakenly assume that all the vfd pointers in the array are
valid and trigger a NULL pointer dereference.
BUG=none
TEST=Remote disconnect doesn't crash the kernel
Change-Id: I0837704ca2bbf5a94324f4b6f794a192857c6da3
Signed-off-by: Tomasz Figa <tfiga@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1158108
diff --git a/drivers/virtio/virtio_wl.c b/drivers/virtio/virtio_wl.c
index 2e09c4b..ac8aff1 100644
--- a/drivers/virtio/virtio_wl.c
+++ b/drivers/virtio/virtio_wl.c
@@ -676,12 +676,11 @@
force_to_wait = true;
}
- if (vfd_count)
- *vfd_count = vfd_read_count;
-
out_unlock:
mutex_unlock(&vfd->lock);
mutex_unlock(&vi->vfds_lock);
+ if (vfd_count)
+ *vfd_count = vfd_read_count;
return read_count;
}