FPII-2231: Elevation of privilege vulnerability in Qualcomm components CVE-2015-8943 ANDROID-28815158
msm: mdss: Unmap only when buffer was mapped
Currently buffer is unmapped if iommu is attached.
This can lead to potential unmap issues if wrong addresses are sent and are tried to unmap without mapping.
Hence ensure unmap is done only when buffer is mapped.
CR#794217, CR#836226
Change-Id: I9741a85c3ec8a9c1094e921eb62ccb9493f48f45
diff --git a/drivers/video/msm/mdss/mdss_mdp.h b/drivers/video/msm/mdss/mdss_mdp.h
index f5f5770..6919a35 100644
--- a/drivers/video/msm/mdss/mdss_mdp.h
+++ b/drivers/video/msm/mdss/mdss_mdp.h
@@ -279,6 +279,7 @@
u32 len;
u32 flags;
int p_need;
+ bool mapped;
struct file *srcp_file;
struct ion_handle *srcp_ihdl;
};
diff --git a/drivers/video/msm/mdss/mdss_mdp_util.c b/drivers/video/msm/mdss/mdss_mdp_util.c
index 01745fd..d11bcc8 100644
--- a/drivers/video/msm/mdss/mdss_mdp_util.c
+++ b/drivers/video/msm/mdss/mdss_mdp_util.c
@@ -502,7 +502,7 @@
pr_err("invalid ion client\n");
return -ENOMEM;
} else {
- if (is_mdss_iommu_attached()) {
+ if (data->mapped) {
int domain;
if (data->flags & MDP_SECURE_OVERLAY_SESSION)
domain = MDSS_IOMMU_DOMAIN_SECURE;
@@ -515,6 +515,7 @@
msm_ion_unsecure_buffer(iclient,
data->srcp_ihdl);
}
+ data->mapped = false;
}
ion_free(iclient, data->srcp_ihdl);
data->srcp_ihdl = NULL;
@@ -593,6 +594,7 @@
if (ret && (domain == MDSS_IOMMU_DOMAIN_SECURE))
msm_ion_unsecure_buffer(iclient,
data->srcp_ihdl);
+ data->mapped = true;
} else {
ret = ion_phys(iclient, data->srcp_ihdl, start,
(size_t *) len);