storaged could cause heap use after free

- Call free() on remove_operation()(Thread)
- Access op->op on add_operation()(Main thread)

Change-Id: Iee3b3a545a04889d79f1d696dadce9d842769259
Signed-off-by: pr.jung <pr.jung@samsung.com>

diff --git a/src/block/block.c b/src/block/block.c
index 2093858..100e9cb 100644 (file)
--- a/src/block/block.c
+++ b/src/block/block.c
@@ -2025,6 +2025,14 @@ static int add_operation(struct block_device *bdev,
        op->data = data;
        op->invocation = invocation;
 
+       /* Need to disble app2ext whenever unmounting mmc */
+       if (operation == BLOCK_DEV_UNMOUNT &&
+               bdev->data->state == BLOCK_MOUNT &&
+               bdev->data->block_type == BLOCK_MMC_DEV &&
+               bdev->data->primary)
+               if (app2ext_disable_all_external_pkgs() < 0)
+                       _E("app2ext_disable_all_external_pkgs() failed");
+
        /* LOCK
         * during adding queue and checking the queue length */
        pthread_mutex_lock(&(th_manager[thread_id].mutex));
@@ -2042,15 +2050,6 @@ static int add_operation(struct block_device *bdev,
        pthread_mutex_unlock(&(th_manager[thread_id].mutex));
        /* UNLOCK */
 
-       /* Need to disble app2ext whenever unmounting mmc */
-       if (op->op == BLOCK_DEV_UNMOUNT &&
-               bdev->data->state == BLOCK_MOUNT &&
-               bdev->data->block_type == BLOCK_MMC_DEV &&
-               bdev->data->primary)
-               if (app2ext_disable_all_external_pkgs() < 0)
-                       _E("app2ext_disable_all_external_pkgs() failed");
-
-
        if (!start_th) {
                _D("Start New thread for block device");
                th_manager[thread_id].start_th = true;