Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 68fa2946 authored by Soumya Managoli's avatar Soumya Managoli Committed by Gerrit - the friendly Code Review server
Browse files

dsp: q6lsm: Address use after free for mmap handle 



The global declared mmap_handle can be left dangling
for case when the handle is freed by the calling function.
Fix is to address this. Also add a check to make sure
the mmap_handle is accessed legally.

Change-Id: I367f8a41339aa0025b545b125ee820220efedeee
Signed-off-by: default avatarSoumya Managoli <quic_c_smanag@quicinc.com>
parent b68e8508

dsp/q6lsm.c

+7 −1
Original line number Diff line number Diff line
@@ -472,6 +472,10 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle, 
	}



	pr_debug("%s: enter wait %d\n", __func__, wait);

	if (mmap_handle_p) {

		pr_debug("%s: Invalid mmap_handle\n", __func__);

		return -EINVAL;

	}

	if (wait)

		mutex_lock(&lsm_common.apr_lock);

	if (mmap_p) {
@@ -517,6 +521,7 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle, 


	if (mmap_p && *mmap_p == 0)

		ret = -ENOMEM;

	mmap_handle_p = NULL;

	pr_debug("%s: leave ret %d\n", __func__, ret);

	return ret;

}
@@ -2040,6 +2045,7 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv) 
	case LSM_SESSION_CMDRSP_SHARED_MEM_MAP_REGIONS:

		if (atomic_read(&client->cmd_state) == CMD_STATE_WAIT_RESP) {

			spin_lock_irqsave(&mmap_lock, flags);

			if (mmap_handle_p)

				*mmap_handle_p = command;

			/* spin_unlock_irqrestore implies barrier */

			spin_unlock_irqrestore(&mmap_lock, flags);