diff options
| author | Soumya Managoli <quic_c_smanag@quicinc.com> | 2023-08-17 18:07:03 +0530 |
|---|---|---|
| committer | tmamatha <quic_tmamatha@quicinc.com> | 2023-08-25 04:04:14 -0700 |
| commit | 904cadd7903cafa394b1ec2b2dcd9f49fa538259 (patch) | |
| tree | 67a1392adec56f78ad5d34eceeaa54eff48ea66b | |
| parent | 552544deb1345d9318d7a4b0ec4f8911572944c0 (diff) | |
q6lsm: Address use after free for mmap handle.
The global declared mmap_handle can be left dangling
for case when the handle is freed by the calling function.
Fix is to address this. Also add a check to make sure
the mmap_handle is accessed legally.
Change-Id: I367f8a41339aa0025b545b125ee820220efedeee
Signed-off-by: Soumya Managoli <quic_c_smanag@quicinc.com>
| -rw-r--r-- | sound/soc/msm/qdsp6v2/q6lsm.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/sound/soc/msm/qdsp6v2/q6lsm.c b/sound/soc/msm/qdsp6v2/q6lsm.c index a19f0447c4b4..540f27ffc2fb 100644 --- a/sound/soc/msm/qdsp6v2/q6lsm.c +++ b/sound/soc/msm/qdsp6v2/q6lsm.c @@ -339,6 +339,10 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle, struct apr_hdr *msg_hdr = (struct apr_hdr *) data; pr_debug("%s: enter wait %d\n", __func__, wait); + if (mmap_handle_p) { + pr_err("%s: Invalid mmap_handle\n", __func__); + return -EINVAL; + } if (wait) mutex_lock(&lsm_common.apr_lock); if (mmap_p) { @@ -382,6 +386,7 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle, if (wait) mutex_unlock(&lsm_common.apr_lock); + mmap_handle_p = NULL; pr_debug("%s: leave ret %d\n", __func__, ret); return ret; } @@ -1396,7 +1401,8 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv) case LSM_SESSION_CMDRSP_SHARED_MEM_MAP_REGIONS: if (atomic_read(&client->cmd_state) == CMD_STATE_WAIT_RESP) { spin_lock_irqsave(&mmap_lock, flags); - *mmap_handle_p = command; + if (mmap_handle_p) + *mmap_handle_p = command; /* spin_unlock_irqrestore implies barrier */ spin_unlock_irqrestore(&mmap_lock, flags); atomic_set(&client->cmd_state, CMD_STATE_CLEARED); |