From 9ec95bb9c802949888bab323698f6ab77ee0fc1c Mon Sep 17 00:00:00 2001
From: Saurav Kumar <sauravk@codeaurora.org>
Date: Tue, 18 Aug 2020 18:33:35 +0530
Subject: [PATCH] dsp: add change to fix use-after-free issue

Add change to properly handle the pointers by setting them to
NULL after free and adding some null checks before dereferencing.

Change-Id: I3e52b9a6885a8d8a91c09f75fe92ba69e3eb555f
Signed-off-by: Saurav Kumar <sauravk@codeaurora.org>
---
 dsp/msm_audio_ion.c | 9 ++++++++-
 dsp/q6asm.c         | 6 ++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/dsp/msm_audio_ion.c b/dsp/msm_audio_ion.c
index ac89b2a29bc4..32ecac808b00 100644
--- a/dsp/msm_audio_ion.c
+++ b/dsp/msm_audio_ion.c
@@ -69,7 +69,7 @@ static int msm_audio_dma_buf_map(struct dma_buf *dma_buf,
 				 bool cma_mem)
 {
 
-	struct msm_audio_alloc_data *alloc_data;
+	struct msm_audio_alloc_data *alloc_data = NULL;
 	struct device *cb_dev;
 	unsigned long ionflag = 0;
 	int rc = 0;
@@ -138,6 +138,7 @@ detach_dma_buf:
 		       alloc_data->attach);
 free_alloc_data:
 	kfree(alloc_data);
+	alloc_data = NULL;
 
 	return rc;
 }
@@ -179,6 +180,7 @@ static int msm_audio_dma_buf_unmap(struct dma_buf *dma_buf, bool cma_mem)
 
 			list_del(&(alloc_data->list));
 			kfree(alloc_data);
+			alloc_data = NULL;
 			break;
 		}
 	}
@@ -321,6 +323,11 @@ static int msm_audio_ion_map_buf(struct dma_buf *dma_buf, dma_addr_t *paddr,
 {
 	int rc = 0;
 
+	if (!dma_buf || !paddr || !vaddr || !plen) {
+		pr_err("%s: Invalid params\n", __func__);
+		return -EINVAL;
+	}
+
 	rc = msm_audio_ion_get_phys(dma_buf, paddr, plen);
 	if (rc) {
 		pr_err("%s: ION Get Physical for AUDIO failed, rc = %d\n",
diff --git a/dsp/q6asm.c b/dsp/q6asm.c
index 5e9b826ff7b1..0fc821d72485 100644
--- a/dsp/q6asm.c
+++ b/dsp/q6asm.c
@@ -8487,6 +8487,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
 	if (mmap_region_cmd == NULL) {
 		rc = -EINVAL;
 		kfree(buffer_node);
+		buffer_node = NULL;
 		return rc;
 	}
 	mmap_regions = (struct avs_cmd_shared_mem_map_regions *)
@@ -8523,6 +8524,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
 					mmap_regions->hdr.opcode, rc);
 		rc = -EINVAL;
 		kfree(buffer_node);
+		buffer_node = NULL;
 		goto fail_cmd;
 	}
 
@@ -8534,6 +8536,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
 		pr_err("%s: timeout. waited for memory_map\n", __func__);
 		rc = -ETIMEDOUT;
 		kfree(buffer_node);
+		buffer_node = NULL;
 		goto fail_cmd;
 	}
 	if (atomic_read(&ac->mem_state) > 0) {
@@ -8543,6 +8546,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
 		rc = adsp_err_get_lnx_err_code(
 			atomic_read(&ac->mem_state));
 		kfree(buffer_node);
+		buffer_node = NULL;
 		goto fail_cmd;
 	}
 	mutex_lock(&ac->cmd_lock);
@@ -8562,6 +8566,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
 	rc = 0;
 fail_cmd:
 	kfree(mmap_region_cmd);
+	mmap_region_cmd = NULL;
 	return rc;
 }
 EXPORT_SYMBOL(q6asm_memory_map_regions);
@@ -8657,6 +8662,7 @@ fail_cmd:
 		if (buf_node->buf_phys_addr == buf_add) {
 			list_del(&buf_node->list);
 			kfree(buf_node);
+			buf_node = NULL;
 			break;
 		}
 	}