From 81a8b5427b9a85c5cf1f437346e76d6c643621b3 Mon Sep 17 00:00:00 2001 From: Stefan Wahren Date: Mon, 31 Oct 2016 14:39:27 +0000 Subject: [PATCH] staging: vchiq_core: fix service dereference in unlock_service The service state is dereferenced before BUG_ON and outside of the spin lock. So in order to avoid possible NULL pointer dereferences or races move the whole scope at a safer place. This issue has been found by Cppcheck. Signed-off-by: Stefan Wahren Signed-off-by: Greg Kroah-Hartman --- drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c index 5978017b14bd..7984ff9fad87 100644 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c @@ -296,12 +296,13 @@ lock_service(VCHIQ_SERVICE_T *service) void unlock_service(VCHIQ_SERVICE_T *service) { - VCHIQ_STATE_T *state = service->state; spin_lock(&service_spinlock); BUG_ON(!service || (service->ref_count == 0)); if (service && service->ref_count) { service->ref_count--; if (!service->ref_count) { + VCHIQ_STATE_T *state = service->state; + BUG_ON(service->srvstate != VCHIQ_SRVSTATE_FREE); state->services[service->localport] = NULL; } else -- 2.20.1