Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f8632b8b authored by Johan Hovold's avatar Johan Hovold Committed by Greg Kroah-Hartman
Browse files

misc: fastrpc: fix memory corruption on open 



commit d245f43aab2b61195d8ebb64cef7b5a08c590ab4 upstream.

The probe session-duplication overflow check incremented the session
count also when there were no more available sessions so that memory
beyond the fixed-size slab-allocated session array could be corrupted in
fastrpc_session_alloc() on open().

Fixes: f6f9279f ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
Cc: stable@vger.kernel.org      # 5.1
Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20220829080531.29681-3-johan+linaro@kernel.org


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent ec186b9f

drivers/misc/fastrpc.c

+3 −4
Original line number Diff line number Diff line
@@ -1362,7 +1362,7 @@ static int fastrpc_cb_probe(struct platform_device *pdev) 
		spin_unlock_irqrestore(&cctx->lock, flags);

		return -ENOSPC;

	}

	sess = &cctx->session[cctx->sesscount];

	sess = &cctx->session[cctx->sesscount++];

	sess->used = false;

	sess->valid = true;

	sess->dev = dev;
@@ -1375,13 +1375,12 @@ static int fastrpc_cb_probe(struct platform_device *pdev) 
		struct fastrpc_session_ctx *dup_sess;



		for (i = 1; i < sessions; i++) {

			if (cctx->sesscount++ >= FASTRPC_MAX_SESSIONS)

			if (cctx->sesscount >= FASTRPC_MAX_SESSIONS)

				break;

			dup_sess = &cctx->session[cctx->sesscount];

			dup_sess = &cctx->session[cctx->sesscount++];

			memcpy(dup_sess, sess, sizeof(*dup_sess));

		}

	}

	cctx->sesscount++;

	spin_unlock_irqrestore(&cctx->lock, flags);

	rc = dma_set_mask(dev, DMA_BIT_MASK(32));

	if (rc) {