Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e72c8566 authored by qctecmdr's avatar qctecmdr Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: ADSPRPC: Fix to avoid Use after free in create_dynamic_process"

parents 2ae37c23 5766228b

drivers/char/adsprpc.c

+16 −0
Original line number Diff line number Diff line
@@ -645,6 +645,8 @@ struct fastrpc_file { 
	struct completion work;

	/* Flag to indicate ram dump collection status*/

	bool is_ramdump_pend;

	/* Flag to indicate dynamic process creation status*/

	bool in_process_create;

};



static struct fastrpc_apps gfa;
@@ -3658,6 +3660,15 @@ static int fastrpc_init_create_dynamic_process(struct fastrpc_file *fl, 
		int siglen;

	} inbuf;



	spin_lock(&fl->hlock);

	if (fl->in_process_create) {

		err = -EALREADY;

		ADSPRPC_ERR("Already in create dynamic process\n");

		spin_unlock(&fl->hlock);

		return err;

	}

	fl->in_process_create = true;

	spin_unlock(&fl->hlock);

	inbuf.pgid = fl->tgid;

	inbuf.namelen = strlen(current->comm) + 1;

	inbuf.filelen = init->filelen;
@@ -3824,6 +3835,9 @@ static int fastrpc_init_create_dynamic_process(struct fastrpc_file *fl, 
			locked = 0;

		}

	}

	spin_lock(&fl->hlock);

	fl->in_process_create = false;

	spin_unlock(&fl->hlock);

	return err;

}
@@ -5187,6 +5201,7 @@ static int fastrpc_file_free(struct fastrpc_file *fl) 
	spin_lock(&fl->apps->hlock);

	hlist_del_init(&fl->hn);

	fl->is_ramdump_pend = false;

	fl->in_process_create = false;

	spin_unlock(&fl->apps->hlock);

	kfree(fl->debug_buf);

	kfree(fl->gidlist.gids);
@@ -5594,6 +5609,7 @@ static int fastrpc_device_open(struct inode *inode, struct file *filp) 
	fl->qos_request = 0;

	fl->dsp_proc_init = 0;

	fl->is_ramdump_pend = false;

	fl->in_process_create = false;

	init_completion(&fl->work);

	fl->file_close = FASTRPC_PROCESS_DEFAULT_STATE;

	filp->private_data = fl;