msm: ipa: Fix use-after-free in ipa3_alloc_counter_id

Make changes to memcopy before preload end. Change-Id: Icc056a3bcd5b739b8165813202c87dd84e72c78a Signed-off-by: Michael Adisumarta <madisuma@codeaurora.org>
2020-10-08 16:22:27 -07:00 · 2020-10-08 16:22:27 -07:00 · 0d5800910f
commit 0d5800910f
parent a2ea5ff32c
1 changed files with 1 additions and 1 deletions
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_utils.c
@ -7057,9 +7057,9 @@ mark_sw_cnt:
 done:
 	/* get a handle from idr for dealloc */
 	counter->hdl = __ipa3_alloc_counter_hdl(counter);
+	memcpy(header, counter, sizeof(struct ipa_ioc_flt_rt_counter_alloc));
 	spin_unlock(&ipa3_ctx->flt_rt_counters.hdl_lock);
 	idr_preload_end();
-	memcpy(header, counter, sizeof(struct ipa_ioc_flt_rt_counter_alloc));
 	return 0;

 err: