Skip to content

Commit

Permalink
q6lsm: Address use after free for mmap handle.
Browse files Browse the repository at this point in the history
The global declared mmap_handle can be left dangling
for case when the handle is freed by the calling function.
Fix is to address this. Also add a check to make sure
the mmap_handle is accessed legally.

Change-Id: I367f8a41339aa0025b545b125ee820220efedeee
Signed-off-by: Soumya Managoli <[email protected]>
  • Loading branch information
Soumya Managoli authored and tmamatha committed Aug 25, 2023
1 parent 552544d commit 904cadd
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion sound/soc/msm/qdsp6v2/q6lsm.c
Original file line number Diff line number Diff line change
Expand Up @@ -339,6 +339,10 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle,
struct apr_hdr *msg_hdr = (struct apr_hdr *) data;

pr_debug("%s: enter wait %d\n", __func__, wait);
if (mmap_handle_p) {
pr_err("%s: Invalid mmap_handle\n", __func__);
return -EINVAL;
}
if (wait)
mutex_lock(&lsm_common.apr_lock);
if (mmap_p) {
Expand Down Expand Up @@ -382,6 +386,7 @@ static int q6lsm_apr_send_pkt(struct lsm_client *client, void *handle,
if (wait)
mutex_unlock(&lsm_common.apr_lock);

mmap_handle_p = NULL;
pr_debug("%s: leave ret %d\n", __func__, ret);
return ret;
}
Expand Down Expand Up @@ -1396,7 +1401,8 @@ static int q6lsm_mmapcallback(struct apr_client_data *data, void *priv)
case LSM_SESSION_CMDRSP_SHARED_MEM_MAP_REGIONS:
if (atomic_read(&client->cmd_state) == CMD_STATE_WAIT_RESP) {
spin_lock_irqsave(&mmap_lock, flags);
*mmap_handle_p = command;
if (mmap_handle_p)
*mmap_handle_p = command;
/* spin_unlock_irqrestore implies barrier */
spin_unlock_irqrestore(&mmap_lock, flags);
atomic_set(&client->cmd_state, CMD_STATE_CLEARED);
Expand Down

0 comments on commit 904cadd

Please sign in to comment.