Commit 7cf8efc1 authored May 08, 2023 by Tapas Dey Committed by Gerrit - the friendly Code Review server May 15, 2023

msm: adsprpc: Handle UAF in fastrpc_buf_free

Thread T1 add buffer to fl->cached_bufs and release fl->hlock and holding
buffer reference. Now thread T2 will aquire fl->hlock and free buffer in
fastrpc_cached_buf_list_free(). T1 will dereference the freed buffer.
Moving reference buffer uses for T1 inside fl->hlock to avoid UAF.

Change-Id: I5f08d5497099133f87d55f5879cfe50c2ba23ae6
Signed-off-by: Tapas Dey <quic_tapadey@quicinc.com>

parent bb709676

drivers/char/adsprpc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1017,8 +1017,8 @@ static void fastrpc_buf_free(struct fastrpc_buf *buf, int cache)
		}
		hlist_add_head(&buf->hn, &fl->cached_bufs);
		fl->num_cached_buf++;
		spin_unlock(&fl->hlock);
		buf->type = -1;
		spin_unlock(&fl->hlock);
		return;
		}
		skip_buf_cache: