lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dsp: add change to fix use-after-free issue

Browse Source 
Add change to properly handle the pointers by setting them to
NULL after free and adding some null checks before dereferencing.

Change-Id: I3e52b9a6885a8d8a91c09f75fe92ba69e3eb555f
Signed-off-by: Saurav Kumar <sauravk@codeaurora.org>
This commit is contained in:
Saurav Kumar 2020-08-18 18:33:35 +05:30 committed by Gerrit - the friendly Code Review server
parent c896ed2237
commit 9ec95bb9c8
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
dsp/msm_audio_ion.c
View File

@ -69,7 +69,7 @@ static int msm_audio_dma_buf_map(struct dma_buf *dma_buf,
bool cma_mem) bool cma_mem)
{ {
struct msm_audio_alloc_data *alloc_data; struct msm_audio_alloc_data *alloc_data = NULL;
struct device *cb_dev; struct device *cb_dev;
unsigned long ionflag = 0; unsigned long ionflag = 0;
int rc = 0; int rc = 0;
@ -138,6 +138,7 @@ detach_dma_buf:
alloc_data->attach); alloc_data->attach);
free_alloc_data: free_alloc_data:
kfree(alloc_data); kfree(alloc_data);
alloc_data = NULL;
return rc; return rc;
} }
@ -179,6 +180,7 @@ static int msm_audio_dma_buf_unmap(struct dma_buf *dma_buf, bool cma_mem)
list_del(&(alloc_data->list)); list_del(&(alloc_data->list));
kfree(alloc_data); kfree(alloc_data);
alloc_data = NULL;
break; break;
} }
} }
@ -321,6 +323,11 @@ static int msm_audio_ion_map_buf(struct dma_buf *dma_buf, dma_addr_t *paddr,
{ {
int rc = 0; int rc = 0;
if (!dma_buf || !paddr || !vaddr || !plen) {
pr_err("%s: Invalid params\n", __func__);
return -EINVAL;
}
rc = msm_audio_ion_get_phys(dma_buf, paddr, plen); rc = msm_audio_ion_get_phys(dma_buf, paddr, plen);
if (rc) { if (rc) {
pr_err("%s: ION Get Physical for AUDIO failed, rc = %d\n", pr_err("%s: ION Get Physical for AUDIO failed, rc = %d\n",

6
dsp/q6asm.c
View File

@ -8487,6 +8487,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
if (mmap_region_cmd == NULL) { if (mmap_region_cmd == NULL) {
rc = -EINVAL; rc = -EINVAL;
kfree(buffer_node); kfree(buffer_node);
buffer_node = NULL;
return rc; return rc;
} }
mmap_regions = (struct avs_cmd_shared_mem_map_regions *) mmap_regions = (struct avs_cmd_shared_mem_map_regions *)
@ -8523,6 +8524,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
mmap_regions->hdr.opcode, rc); mmap_regions->hdr.opcode, rc);
rc = -EINVAL; rc = -EINVAL;
kfree(buffer_node); kfree(buffer_node);
buffer_node = NULL;
goto fail_cmd; goto fail_cmd;
} }
@ -8534,6 +8536,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
pr_err("%s: timeout. waited for memory_map\n", __func__); pr_err("%s: timeout. waited for memory_map\n", __func__);
rc = -ETIMEDOUT; rc = -ETIMEDOUT;
kfree(buffer_node); kfree(buffer_node);
buffer_node = NULL;
goto fail_cmd; goto fail_cmd;
} }
if (atomic_read(&ac->mem_state) > 0) { if (atomic_read(&ac->mem_state) > 0) {
@ -8543,6 +8546,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
rc = adsp_err_get_lnx_err_code( rc = adsp_err_get_lnx_err_code(
atomic_read(&ac->mem_state)); atomic_read(&ac->mem_state));
kfree(buffer_node); kfree(buffer_node);
buffer_node = NULL;
goto fail_cmd; goto fail_cmd;
} }
mutex_lock(&ac->cmd_lock); mutex_lock(&ac->cmd_lock);
@ -8562,6 +8566,7 @@ static int q6asm_memory_map_regions(struct audio_client *ac, int dir,
rc = 0; rc = 0;
fail_cmd: fail_cmd:
kfree(mmap_region_cmd); kfree(mmap_region_cmd);
mmap_region_cmd = NULL;
return rc; return rc;
} }
EXPORT_SYMBOL(q6asm_memory_map_regions); EXPORT_SYMBOL(q6asm_memory_map_regions);
@ -8657,6 +8662,7 @@ fail_cmd:
if (buf_node->buf_phys_addr == buf_add) { if (buf_node->buf_phys_addr == buf_add) {
list_del(&buf_node->list); list_del(&buf_node->list);
kfree(buf_node); kfree(buf_node);
buf_node = NULL;
break; break;
} }
} }