Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3192894e authored by Jilai Wang's avatar Jilai Wang
Browse files

msm: npu: Fix use after free issue 



There is possibility that network will be used after free.
This change is to fix this issue.

Change-Id: I25eaf33f2a641127f13ec20df5da29d2b2923828
Signed-off-by: default avatarJilai Wang <quic_jilaiw@quicinc.com>
parent 17911c9a

drivers/media/platform/msm/npu/npu_mgr.c

+15 −0
Original line number Diff line number Diff line
@@ -2574,6 +2574,13 @@ int32_t npu_host_unload_network(struct npu_client *client, 
		return -EINVAL;

	}



	if (network->is_unloading) {

		NPU_ERR("network is unloading\n");

		network_put(network);

		mutex_unlock(&host_ctx->lock);

		return -EINVAL;

	}



	if (!network->is_active) {

		NPU_ERR("network is not active\n");

		network_put(network);
@@ -2591,6 +2598,8 @@ int32_t npu_host_unload_network(struct npu_client *client, 
		goto free_network;

	}



	network->is_unloading = true;



	NPU_DBG("Unload network %lld\n", network->id);

	/* prepare IPC packet for UNLOAD */

	unload_packet.header.cmd_type = NPU_IPC_CMD_UNLOAD;
@@ -2724,6 +2733,12 @@ int32_t npu_host_exec_network_v2(struct npu_client *client, 
	if (atomic_inc_return(&host_ctx->network_execute_cnt) == 1)

		npu_notify_cdsprm_cxlimit_activity(npu_dev, true);



	if (network->is_unloading) {

		NPU_ERR("network is unloading\n");

		ret = -EINVAL;

		goto exec_v2_done;

	}



	if (!network->is_active) {

		NPU_ERR("network is not active\n");

		ret = -EINVAL;

drivers/media/platform/msm/npu/npu_mgr.h

+1 −0
Original line number Diff line number Diff line
@@ -84,6 +84,7 @@ struct npu_network { 
	atomic_t ref_cnt;

	bool is_valid;

	bool is_active;

	bool is_unloading;

	bool fw_error;

	struct npu_client *client;

	struct list_head cmd_list;