qcedev: fix UAF in qcedev_smmu

External researcher found UAF in qcedev_smmu.c on an error condition in
qcedev_check_and_map_buffer. When an error occurs, we free binfo, but it
is still kept in the registeredbufs list. The fix removes it from the
list before freeing binfo.

Change-Id: I0327e456bd46106b12c36a5a21305407aae428dd
Signed-off-by: Daniel Perez-Zoghbi <[email protected]>

crypto-qti/qcedev_smmu.c

@@ -344,8 +344,12 @@ int qcedev_check_and_map_buffer(void *handle,
 	return 0;
 
 unmap:
-	if (!found)
+	if (!found) {
 		qcedev_unmap_buffer(handle, mem_client, binfo);
+		mutex_lock(&qce_hndl->registeredbufs.lock);
+		list_del(&binfo->list);
+		mutex_unlock(&qce_hndl->registeredbufs.lock);
+	}
 
 error:
 	kfree(binfo);