msm: null pointer dereferencingandroid-6.0.1_r0.21

Prevent unintended kernel NULL pointer dereferencing.

Orignal code:
  hlist_del_rcu(&event->hlist_entry);

Fix: Adding pointer check:
  if(!hlist_unhashed(&p_event->hlist_entry))
    hlist_del_rcu(&p_event->hlist_entry);

Bug: 25364034
Change-Id: Ieda6d8f4bb567827fa6c7709e9e729905c6c3882
Signed-off-by: Yuan Lin <yualin@google.com>

2 files changed, 9 insertions, 2 deletions

diff --git a/kernel/events/core.c b/kernel/events/core.c
index aafa4c1acd99..1cc5b4fac767 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4993,7 +4993,8 @@ static int perf_swevent_add(struct perf_event *event, int flags)
 
 static void perf_swevent_del(struct perf_event *event, int flags)
 {
-	hlist_del_rcu(&event->hlist_entry);
+	if(!hlist_unhashed(&event->hlist_entry))
+		hlist_del_rcu(&event->hlist_entry);
 }
 
 static void perf_swevent_start(struct perf_event *event, int flags)
@@ -6206,6 +6207,9 @@ SYSCALL_DEFINE5(perf_event_open,
 	if (err)
 		return err;
 
+	if (attr.__reserved_1)
+		return -EINVAL;
+
 	if (!attr.exclude_kernel) {
 		if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN))
 			return -EACCES;
diff --git a/kernel/trace/trace_event_perf.c b/kernel/trace/trace_event_perf.c
index fee3752ae8f6..a2db136faa5a 100644
--- a/kernel/trace/trace_event_perf.c
+++ b/kernel/trace/trace_event_perf.c
@@ -222,7 +222,10 @@ int perf_trace_add(struct perf_event *p_event, int flags)
 void perf_trace_del(struct perf_event *p_event, int flags)
 {
 	struct ftrace_event_call *tp_event = p_event->tp_event;
-	hlist_del_rcu(&p_event->hlist_entry);
+	if(!hlist_unhashed(&p_event->hlist_entry))
+		hlist_del_rcu(&p_event->hlist_entry);
+	else
+		return;
 	tp_event->class->reg(tp_event, TRACE_REG_PERF_DEL, p_event);
 }