msm: ADSPRPC: Fix to avoid Use after free in fastrpc_init_process (6f1c3ed7) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/char/adsprpc.c

+18 −0

Original line number	Diff line number	Diff line
		@@ -482,6 +482,8 @@ struct fastrpc_file {
		uint32_t ws_timeout;
		/* To indicate attempt has been made to allocate memory for debug_buf */
		int debug_buf_alloced_attempted;
		/* Flag to indicate dynamic process creation status*/
		bool in_process_create;
		};

		static struct fastrpc_apps gfa;
		@@ -2577,6 +2579,15 @@ static int fastrpc_init_process(struct fastrpc_file *fl,
		int siglen;
		} inbuf;

		spin_lock(&fl->hlock);
		if (fl->in_process_create) {
		err = -EALREADY;
		pr_err("Already in create init process\n");
		spin_unlock(&fl->hlock);
		return err;
		}
		fl->in_process_create = true;
		spin_unlock(&fl->hlock);
		inbuf.pgid = fl->tgid;
		inbuf.namelen = strlen(current->comm) + 1;
		inbuf.filelen = init->filelen;
		@@ -2788,6 +2799,11 @@ static int fastrpc_init_process(struct fastrpc_file *fl,
		fastrpc_mmap_free(file, 0);
		mutex_unlock(&fl->map_mutex);
		}
		if (init->flags == FASTRPC_INIT_CREATE) {
		spin_lock(&fl->hlock);
		fl->in_process_create = false;
		spin_unlock(&fl->hlock);
		}
		return err;
		}

		@@ -3700,6 +3716,7 @@ static int fastrpc_file_free(struct fastrpc_file *fl)
		}
		spin_lock(&fl->hlock);
		fl->file_close = 1;
		fl->in_process_create = false;
		spin_unlock(&fl->hlock);
		if (!IS_ERR_OR_NULL(fl->init_mem))
		fastrpc_buf_free(fl->init_mem, 0);
		@@ -4101,6 +4118,7 @@ static int fastrpc_device_open(struct inode inode, struct file filp)
		fl->cid = -1;
		fl->dev_minor = dev_minor;
		fl->init_mem = NULL;
		fl->in_process_create = false;
		memset(&fl->perf, 0, sizeof(fl->perf));
		fl->qos_request = 0;
		fl->dsp_proc_init = 0;