Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bcea72ce authored by Srinivasarao Pathipati's avatar Srinivasarao Pathipati
Browse files

virt: haven: rm_core: Clean up sequence idr earlier 



When RM sends an error for a given call, Linux can re-use that sequence
number later. Presently, the sequence number is kept as reserved and
could cause a denial of service if many messages are crafted which
always return an RM error.

Change-Id: Icc2b054ab8d110c63759e30d62650ebc9d02b234
Signed-off-by: default avatarElliot Berman <quic_eberman@quicinc.com>
Signed-off-by: default avatarSrinivasarao Pathipati <quic_c_spathi@quicinc.com>
parent 8651cbc0

drivers/virt/haven/hh_rm_core.c

+4 −4
Original line number Diff line number Diff line
@@ -639,6 +639,10 @@ void *hh_rm_call(hh_rm_msgid_t message_id, 
		goto out;

	}



	mutex_lock(&hh_rm_call_idr_lock);

	idr_remove(&hh_rm_call_idr, connection->seq);

	mutex_unlock(&hh_rm_call_idr_lock);



	*rm_error = connection->rm_error;

	if (connection->rm_error) {

		pr_err("%s: Reply for seq:%d failed with RM err: %d\n",
@@ -662,10 +666,6 @@ void *hh_rm_call(hh_rm_msgid_t message_id, 
	*resp_buff_size = connection->size;



out:

	mutex_lock(&hh_rm_call_idr_lock);

	idr_remove(&hh_rm_call_idr, connection->seq);

	mutex_unlock(&hh_rm_call_idr_lock);



	kfree(connection);

	return ret;

}