Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5bdb6c33 authored by Saurav Kumar's avatar Saurav Kumar
Browse files

dsp: add change to fix use-after-free issue 



Add change to properly handle the pointers by setting them to
NULL after free and adding some null checks before dereferencing.

Change-Id: I3e52b9a6885a8d8a91c09f75fe92ba69e3eb555f
Signed-off-by: default avatarSaurav Kumar <sauravk@codeaurora.org>
parent 346468d5

dsp/msm_audio_ion.c

+9 −2
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.

 * Copyright (c) 2013-2020, The Linux Foundation. All rights reserved.

 */



#include <linux/init.h>
@@ -67,7 +67,7 @@ static int msm_audio_dma_buf_map(struct dma_buf *dma_buf, 
				 dma_addr_t *addr, size_t *len)

{



	struct msm_audio_alloc_data *alloc_data;

	struct msm_audio_alloc_data *alloc_data = NULL;

	struct device *cb_dev;

	unsigned long ionflag = 0;

	int rc = 0;
@@ -133,6 +133,7 @@ static int msm_audio_dma_buf_map(struct dma_buf *dma_buf, 
		       alloc_data->attach);

free_alloc_data:

	kfree(alloc_data);

	alloc_data = NULL;



	return rc;

}
@@ -170,6 +171,7 @@ static int msm_audio_dma_buf_unmap(struct dma_buf *dma_buf) 


			list_del(&(alloc_data->list));

			kfree(alloc_data);

			alloc_data = NULL;

			break;

		}

	}
@@ -312,6 +314,11 @@ static int msm_audio_ion_map_buf(struct dma_buf *dma_buf, dma_addr_t *paddr, 
{

	int rc = 0;



	if (!dma_buf || !paddr || !vaddr || !plen) {

		pr_err("%s: Invalid params\n", __func__);

		return -EINVAL;

	}



	rc = msm_audio_ion_get_phys(dma_buf, paddr, plen);

	if (rc) {

		pr_err("%s: ION Get Physical for AUDIO failed, rc = %d\n",

dsp/q6asm.c

+6 −0
Original line number Diff line number Diff line
@@ -8486,6 +8486,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir, 
	if (mmap_region_cmd == NULL) {

		rc = -EINVAL;

		kfree(buffer_node);

		buffer_node = NULL;

		return rc;

	}

	mmap_regions = (struct avs_cmd_shared_mem_map_regions *)
@@ -8522,6 +8523,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir, 
					mmap_regions->hdr.opcode, rc);

		rc = -EINVAL;

		kfree(buffer_node);

		buffer_node = NULL;

		goto fail_cmd;

	}
@@ -8533,6 +8535,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir, 
		pr_err("%s: timeout. waited for memory_map\n", __func__);

		rc = -ETIMEDOUT;

		kfree(buffer_node);

		buffer_node = NULL;

		goto fail_cmd;

	}

	if (atomic_read(&ac->mem_state) > 0) {
@@ -8542,6 +8545,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir, 
		rc = adsp_err_get_lnx_err_code(

			atomic_read(&ac->mem_state));

		kfree(buffer_node);

		buffer_node = NULL;

		goto fail_cmd;

	}

	mutex_lock(&ac->cmd_lock);
@@ -8561,6 +8565,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir, 
	rc = 0;

fail_cmd:

	kfree(mmap_region_cmd);

	mmap_region_cmd = NULL;

	return rc;

}

EXPORT_SYMBOL(q6asm_memory_map_regions);
@@ -8656,6 +8661,7 @@ static int q6asm_memory_unmap_regions(struct audio_client *ac, int dir) 
		if (buf_node->buf_phys_addr == buf_add) {

			list_del(&buf_node->list);

			kfree(buf_node);

			buf_node = NULL;

			break;

		}

	}