staging: vchiq_core: fix service dereference in unlock_service
authorStefan Wahren <stefan.wahren@i2se.com>
Mon, 31 Oct 2016 14:39:27 +0000 (14:39 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 7 Nov 2016 10:05:47 +0000 (11:05 +0100)
The service state is dereferenced before BUG_ON and outside of the
spin lock. So in order to avoid possible NULL pointer dereferences or
races move the whole scope at a safer place.

This issue has been found by Cppcheck.

Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c

index 5978017b14bd1c23d2f941b1519a1a57efc96e2b..7984ff9fad87e3681b990425d44347001dc5c281 100644 (file)
@@ -296,12 +296,13 @@ lock_service(VCHIQ_SERVICE_T *service)
 void
 unlock_service(VCHIQ_SERVICE_T *service)
 {
-       VCHIQ_STATE_T *state = service->state;
        spin_lock(&service_spinlock);
        BUG_ON(!service || (service->ref_count == 0));
        if (service && service->ref_count) {
                service->ref_count--;
                if (!service->ref_count) {
+                       VCHIQ_STATE_T *state = service->state;
+
                        BUG_ON(service->srvstate != VCHIQ_SRVSTATE_FREE);
                        state->services[service->localport] = NULL;
                } else