Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fd816a90 authored by Mohammed Nayeem Ur Rahman's avatar Mohammed Nayeem Ur Rahman
Browse files

msm: ADSPRPC: Fix to avoid race condition and use after free 



Current mmap and munmap use same mutex but munmap_fd does not
use the same. This can introduce race condition between mmap
and munmap_fd. Also there is a use after free scenario in get_args
and init_process as only mmap_create is protected and the map can
be freed after this. Unifying mutex to avoid race condition.
Restricting munmap_fd only for persist bufs to avoid this.

Change-Id: I2adf631b1e61c2274a14a3645a5e555f5d248645
Acked-by: default avatarEkansh Gupta <ekangupt@qti.qualcomm.com>
Signed-off-by: default avatarMohammed Nayeem Ur Rahman <mohara@codeaurora.org>
parent fbad67d3

drivers/char/adsprpc.c

+14 −5
Original line number Diff line number Diff line
@@ -3198,7 +3198,7 @@ static int fastrpc_internal_munmap(struct fastrpc_file *fl, 
		pr_err("adsprpc: ERROR: %s: user application %s trying to unmap without initialization\n",

			 __func__, current->comm);

		err = EBADR;

		goto bail;

		return err;

	}

	mutex_lock(&fl->internal_map_mutex);
@@ -3247,6 +3247,11 @@ static int fastrpc_internal_munmap(struct fastrpc_file *fl, 
	return err;

}



/*

 *	fastrpc_internal_munmap_fd can only be used for buffers

 *	mapped with persist attributes. This can only be called

 *	once for any persist buffer

 */

static int fastrpc_internal_munmap_fd(struct fastrpc_file *fl,

				struct fastrpc_ioctl_munmap_fd *ud)

{
@@ -3255,14 +3260,15 @@ static int fastrpc_internal_munmap_fd(struct fastrpc_file *fl, 


	VERIFY(err, (fl && ud));

	if (err)

		goto bail;

		return err;

	VERIFY(err, fl->dsp_proc_init == 1);

	if (err) {

		pr_err("adsprpc: ERROR: %s: user application %s trying to unmap without initialization\n",

			__func__, current->comm);

		err = EBADR;

		goto bail;

		return err;

	}

	mutex_lock(&fl->internal_map_mutex);

	mutex_lock(&fl->map_mutex);

	if (fastrpc_mmap_find(fl, ud->fd, ud->va, ud->len, 0, 0, &map)) {

		pr_err("adsprpc: mapping not found to unmap fd 0x%x, va 0x%llx, len 0x%x\n",
@@ -3272,10 +3278,13 @@ static int fastrpc_internal_munmap_fd(struct fastrpc_file *fl, 
		mutex_unlock(&fl->map_mutex);

		goto bail;

	}

	if (map)

	if (map && (map->attr & FASTRPC_ATTR_KEEP_MAP)) {

		map->attr = map->attr & (~FASTRPC_ATTR_KEEP_MAP);

		fastrpc_mmap_free(map, 0);

	}

	mutex_unlock(&fl->map_mutex);

bail:

	mutex_unlock(&fl->internal_map_mutex);

	return err;

}
@@ -3294,7 +3303,7 @@ static int fastrpc_internal_mmap(struct fastrpc_file *fl, 
		pr_err("adsprpc: ERROR: %s: user application %s trying to map without initialization\n",

			__func__, current->comm);

		err = EBADR;

		goto bail;

		return err;

	}

	mutex_lock(&fl->internal_map_mutex);

	if ((ud->flags == ADSP_MMAP_ADD_PAGES) ||