Merge "msm: adsprpc: overflow vulnerability by race condition in adsprpc driver"
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 0f179f0..8fab320 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -352,6 +352,7 @@
int uncached;
int secure;
uintptr_t attr;
+ bool is_filemap; /*flag to indicate map used in process init*/
};
enum fastrpc_perfkeys {
@@ -700,9 +701,10 @@
spin_lock(&me->hlock);
hlist_for_each_entry_safe(map, n, &me->maps, hn) {
- if (map->raddr == va &&
+ if (map->refs == 1 && map->raddr == va &&
map->raddr + map->len == va + len &&
- map->refs == 1) {
+ /*Remove map if not used in process initialization*/
+ !map->is_filemap) {
match = map;
hlist_del_init(&map->hn);
break;
@@ -714,9 +716,10 @@
return 0;
}
hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
- if (map->raddr == va &&
+ if (map->refs == 1 && map->raddr == va &&
map->raddr + map->len == va + len &&
- map->refs == 1) {
+ /*Remove map if not used in process initialization*/
+ !map->is_filemap) {
match = map;
hlist_del_init(&map->hn);
break;
@@ -858,6 +861,7 @@
map->fl = fl;
map->fd = fd;
map->attr = attr;
+ map->is_filemap = false;
if (mflags == ADSP_MMAP_HEAP_ADDR ||
mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
unsigned long dma_attrs = DMA_ATTR_SKIP_ZEROING |
@@ -2243,6 +2247,8 @@
mutex_lock(&fl->fl_map_mutex);
VERIFY(err, !fastrpc_mmap_create(fl, init->filefd, 0,
init->file, init->filelen, mflags, &file));
+ if (file)
+ file->is_filemap = true;
mutex_unlock(&fl->fl_map_mutex);
if (err)
goto bail;