Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / af4ea937a3f3f140827c9aaf6267f1ddf4fd6a75^1..af4ea937a3f3f140827c9aaf6267f1ddf4fd6a75 / .
commitaf4ea937a3f3f140827c9aaf6267f1ddf4fd6a75[log] [tgz]
authorLinux Build Service Account <lnxbuild@quicinc.com>Thu Jan 11 07:30:23 2018 -0800
committerGerrit - the friendly Code Review server <code-review@localhost>Thu Jan 11 07:30:22 2018 -0800
tree1f765dac8fb8cfdf87ef325bd1b1cb0db13aa86d
parente141e30b9807467a506d8313de602ad0cbbf6643 [diff]
parentc31eac557ea764add4bcb67ff03995b444c75b3f [diff]
Merge "msm: adsprpc: Variable map may UAF due to race conditions"
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 4b1e9ca..177fb3d 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c

@@ -341,6 +341,7 @@
 	struct mutex perf_mutex;
 	struct pm_qos_request pm_qos_req;
 	int qos_request;
+	struct mutex map_mutex;
 };
 
 static struct fastrpc_apps gfa;
@@ -2150,6 +2151,7 @@
 	int err = 0;
 	struct fastrpc_mmap *map = NULL;
 
+	mutex_lock(&fl->map_mutex);
 	VERIFY(err, !fastrpc_mmap_remove(fl, ud->vaddrout, ud->size, &map));
 	if (err)
 		goto bail;
@@ -2160,6 +2162,7 @@
 bail:
 	if (err && map)
 		fastrpc_mmap_add(map);
+	mutex_unlock(&fl->map_mutex);
 	return err;
 }
 
@@ -2193,10 +2196,12 @@
 	struct fastrpc_mmap *map = NULL;
 	int err = 0;
 
+	mutex_lock(&fl->map_mutex);
 	if (!fastrpc_mmap_find(fl, ud->fd, (uintptr_t)ud->vaddrin,
-			 ud->size, ud->flags, 1, &map))
+			 ud->size, ud->flags, 1, &map)){
+		mutex_unlock(&fl->map_mutex);
 		return 0;
-
+	}
 	VERIFY(err, !fastrpc_mmap_create(fl, ud->fd, 0,
 			(uintptr_t)ud->vaddrin, ud->size,
 			 ud->flags, &map));
@@ -2209,6 +2214,7 @@
  bail:
 	if (err && map)
 		fastrpc_mmap_free(map, 0);
+	mutex_unlock(&fl->map_mutex);
 	return err;
 }
 
@@ -2410,6 +2416,7 @@
 			pm_qos_remove_request(&fl->pm_qos_req);
 		if (fl->debugfs_file != NULL)
 			debugfs_remove(fl->debugfs_file);
+		mutex_destroy(&fl->map_mutex);
 		fastrpc_file_free(fl);
 		file->private_data = NULL;
 	}
@@ -2734,6 +2741,7 @@
 	memset(&fl->perf, 0, sizeof(fl->perf));
 	fl->qos_request = 0;
 	filp->private_data = fl;
+	mutex_init(&fl->map_mutex);
 	spin_lock(&me->hlock);
 	hlist_add_head(&fl->hn, &me->drivers);
 	spin_unlock(&me->hlock);