storaged could cause heap use after free

- Call free() on remove_operation()(Thread)
- Access op->op on add_operation()(Main thread)

Change-Id: I1259bc44c156932ff72d1c07bc809d45ea175c57
Signed-off-by: pr.jung <pr.jung@samsung.com>

diff --git a/src/block/block.c b/src/block/block.c
index a348b9a170f03e2ec745cdb5ebbc96c16b4582b2..3cb807504083cdec9e09bfccfd3e3d9f92d74b89 100644 (file)
--- a/src/block/block.c
+++ b/src/block/block.c
@@ -2020,6 +2020,14 @@ static int add_operation(struct block_device *bdev,
        op->data = data;
        op->reply_handle = reply_handle;
 
+       /* Need to disble app2ext whenever unmounting mmc */
+       if (operation == BLOCK_DEV_UNMOUNT &&
+               bdev->data->state == BLOCK_MOUNT &&
+               bdev->data->block_type == BLOCK_MMC_DEV &&
+               bdev->data->primary)
+               if (app2ext_disable_all_external_pkgs() < 0)
+                       _E("app2ext_disable_all_external_pkgs() failed");
+
        /* LOCK
         * during adding queue and checking the queue length */
        pthread_mutex_lock(&(th_manager[thread_id].mutex));
@@ -2037,15 +2045,6 @@ static int add_operation(struct block_device *bdev,
        pthread_mutex_unlock(&(th_manager[thread_id].mutex));
        /* UNLOCK */
 
-       /* Need to disble app2ext whenever unmounting mmc */
-       if (op->op == BLOCK_DEV_UNMOUNT &&
-               bdev->data->state == BLOCK_MOUNT &&
-               bdev->data->block_type == BLOCK_MMC_DEV &&
-               bdev->data->primary)
-               if (app2ext_disable_all_external_pkgs() < 0)
-                       _E("app2ext_disable_all_external_pkgs() failed");
-
-
        if (start_th) {
                _D("Start New thread for block device");
                th_manager[thread_id].start_th = false;