Commit a3da1921 authored Aug 11, 2020 by Jeya R Committed by Gerrit - the friendly Code Review server Aug 11, 2020

msm: adsprpc: Avoid race condition during map find and free



Protect remote heap buffer list with spin lock while freeing
to avoid UAF in fastrpc_mmap_find() on a buffer that is freed
in fastrpc_mmap_free().

Change-Id: I524abf80087a5a53dfdf81c81ef34cd13f6a43cb
Acked-by: Maitreyi Gupta <maitreyi@qti.qualcomm.com>
Signed-off-by: jeyr <jeyr@codeaurora.org>

parent 350bf52c

drivers/char/adsprpc.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -733,9 +733,11 @@ static void fastrpc_mmap_free(struct fastrpc_mmap *map, uint32_t flags)
		}
		if (map->flags == ADSP_MMAP_HEAP_ADDR \|\|
		map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
		spin_lock(&me->hlock);
		map->refs--;
		if (!map->refs)
		hlist_del_init(&map->hn);
		spin_unlock(&me->hlock);
		if (map->refs > 0)
		return;
		} else {