video: adf: zero out mapping data on adf_buffer_map() failure

If the following call chain fails

adf_device_post_nocopy() ->
  adf_buffer_map() ->
    dma_buf_attach(); dma_buf_map_attachment()

then the attachment returned by dma_buf_attach() will get cleaned up
twice: first during the error-handling path inside adf_buffer_map(), and
again during the error-handling path inside adf_device_post_nocopy().

Fix this by zeroing out the mapping data inside adf_buffer_map()'s
error-handling path.  When adf_device_post_nocopy() hands it back to
adf_buffer_mapping_cleanup(), it will deliberately skip over zeroed-out
data.

(The second adf_buffer_mapping_cleanup() call inside
adf_device_post_nocopy() is not a bug; it's intended to clean up after
any *other* buffers we handled as part of this request.)

CVE:CVE-2016-3811

Bug: 28025945
Bug: 28279077

Change-Id: I824d980b208da3a15d35f74970755c8f18500263
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Git-repo: https://android.googlesource.com/kernel/msm.git
Git-commit: 4436de7a92d037599e0d217f16f9c391b6ad866a
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>

1 files changed, 3 insertions, 1 deletions

diff --git a/drivers/video/adf/adf_client.c b/drivers/video/adf/adf_client.c
index 8061d8e6b9fb..75b2f0b18522 100644
--- a/drivers/video/adf/adf_client.c
+++ b/drivers/video/adf/adf_client.c
@@ -305,8 +305,10 @@ static int adf_buffer_map(struct adf_device *dev, struct adf_buffer *buf,
 	}
 
 done:
-	if (ret < 0)
+	if (ret < 0) {
 		adf_buffer_mapping_cleanup(mapping, buf);
+		memset(mapping, 0, sizeof(*mapping));
+	}
 
 	return ret;
 }