misc: fastrpc: fix memory corruption on open
commit d245f43aab2b61195d8ebb64cef7b5a08c590ab4 upstream.
The probe session-duplication overflow check incremented the session
count also when there were no more available sessions so that memory
beyond the fixed-size slab-allocated session array could be corrupted in
fastrpc_session_alloc() on open().
Fixes: f6f9279f2b ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
Cc: stable@vger.kernel.org # 5.1
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20220829080531.29681-3-johan+linaro@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Johan Hovold
Greg Kroah-Hartman
parent
ec186b9f4a
commit
f8632b8bb5
@ -1362,7 +1362,7 @@ static int fastrpc_cb_probe(struct platform_device *pdev)
|
||||
spin_unlock_irqrestore(&cctx->lock, flags);
|
||||
return -ENOSPC;
|
||||
}
|
||||
sess = &cctx->session[cctx->sesscount];
|
||||
sess = &cctx->session[cctx->sesscount++];
|
||||
sess->used = false;
|
||||
sess->valid = true;
|
||||
sess->dev = dev;
|
||||
@ -1375,13 +1375,12 @@ static int fastrpc_cb_probe(struct platform_device *pdev)
|
||||
struct fastrpc_session_ctx *dup_sess;
|
||||
|
||||
for (i = 1; i < sessions; i++) {
|
||||
if (cctx->sesscount++ >= FASTRPC_MAX_SESSIONS)
|
||||
if (cctx->sesscount >= FASTRPC_MAX_SESSIONS)
|
||||
break;
|
||||
dup_sess = &cctx->session[cctx->sesscount];
|
||||
dup_sess = &cctx->session[cctx->sesscount++];
|
||||
memcpy(dup_sess, sess, sizeof(*dup_sess));
|
||||
}
|
||||
}
|
||||
cctx->sesscount++;
|
||||
spin_unlock_irqrestore(&cctx->lock, flags);
|
||||
rc = dma_set_mask(dev, DMA_BIT_MASK(32));
|
||||
if (rc) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user