Commit bf6b7f14 authored Aug 10, 2020 by Jeya R Committed by Gerrit - the friendly Code Review server Aug 11, 2020

adsprpc: Avoid race condition during map find and free



Protect remote heap buffer list with spin lock while freeing
to avoid UAF in fastrpc_mmap_find() on a buffer that is freed
in fastrpc_mmap_free().

Change-Id: Ic3d5219898fcf23fb813eabe5fc2f187b397a472
Acked-by: Deepika Singh <dsi@qti.qualcomm.com>
Signed-off-by: Jeya R <jeyr@codeaurora.org>

parent 8f5e22e3

drivers/char/adsprpc.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -877,9 +877,11 @@ static void fastrpc_mmap_free(struct fastrpc_mmap *map, uint32_t flags)
		}
		if (map->flags == ADSP_MMAP_HEAP_ADDR \|\|
		map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
		spin_lock(&me->hlock);
		map->refs--;
		if (!map->refs)
		hlist_del_init(&map->hn);
		spin_unlock(&me->hlock);
		if (map->refs > 0)
		return;
		} else {