msm: adsprpc: Handle UAF in process shell memory (013c620b) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/char/adsprpc.c

+10 −4

Original line number	Diff line number	Diff line
		@@ -351,6 +351,7 @@ struct fastrpc_mmap {
		int uncached;
		int secure;
		uintptr_t attr;
		bool is_filemap; /flag to indicate map used in process init/
		};

		enum fastrpc_perfkeys {
		@@ -687,9 +688,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va,

		spin_lock(&me->hlock);
		hlist_for_each_entry_safe(map, n, &me->maps, hn) {
		if (map->raddr == va &&
		if (map->refs == 1 && map->raddr == va &&
		map->raddr + map->len == va + len &&
		map->refs == 1) {
		/Remove map if not used in process initialization/
		!map->is_filemap) {
		match = map;
		hlist_del_init(&map->hn);
		break;
		@@ -701,9 +703,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va,
		return 0;
		}
		hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
		if (map->raddr == va &&
		if (map->refs == 1 && map->raddr == va &&
		map->raddr + map->len == va + len &&
		map->refs == 1) {
		/Remove map if not used in process initialization/
		!map->is_filemap) {
		match = map;
		hlist_del_init(&map->hn);
		break;
		@@ -843,6 +846,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd,
		map->fl = fl;
		map->fd = fd;
		map->attr = attr;
		map->is_filemap = false;
		if (mflags == ADSP_MMAP_HEAP_ADDR \|\|
		mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
		unsigned long dma_attrs = DMA_ATTR_SKIP_ZEROING \|
		@@ -2205,6 +2209,8 @@ static int fastrpc_init_process(struct fastrpc_file *fl,
		mutex_lock(&fl->fl_map_mutex);
		VERIFY(err, !fastrpc_mmap_create(fl, init->filefd, 0,
		init->file, init->filelen, mflags, &file));
		if (file)
		file->is_filemap = true;
		mutex_unlock(&fl->fl_map_mutex);
		if (err)
		goto bail;