Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit facfb22a authored by Vamsi krishna Gattupalli's avatar Vamsi krishna Gattupalli Committed by shaohanlin
Browse files

msm:ADSPRPC :Fix to avoid Use after free in fastrpc_internal_munmap 



Added a check to validate map before freeing it to avoid Use after
free scenario.

Change-Id: Ic723a4fe964a4909119663500018f2a07976105b
Signed-off-by: default avatarVamsi krishna Gattupalli <vgattupa@codeaurora.org>
parent 50645b3a

drivers/char/adsprpc.c

+9 −7
Original line number Original line Diff line number Diff line
@@ -2728,6 +2728,7 @@ static int fastrpc_internal_munmap(struct fastrpc_file *fl, 
	mutex_unlock(&fl->fl_map_mutex);

	mutex_unlock(&fl->fl_map_mutex);

	if (err)

	if (err)

		goto bail;

		goto bail;

	if (map) {

		VERIFY(err, !fastrpc_munmap_on_dsp(fl, map->raddr,

		VERIFY(err, !fastrpc_munmap_on_dsp(fl, map->raddr,

					map->phys, map->size, map->flags));

					map->phys, map->size, map->flags));

		if (err)

		if (err)
@@ -2735,6 +2736,7 @@ static int fastrpc_internal_munmap(struct fastrpc_file *fl, 
		mutex_lock(&fl->fl_map_mutex);

		mutex_lock(&fl->fl_map_mutex);

		fastrpc_mmap_free(map, 0);

		fastrpc_mmap_free(map, 0);

		mutex_unlock(&fl->fl_map_mutex);

		mutex_unlock(&fl->fl_map_mutex);

	}

bail:

bail:

	if (err && map) {

	if (err && map) {

		mutex_lock(&fl->fl_map_mutex);

		mutex_lock(&fl->fl_map_mutex);