From a2f9f978b19dd8f19ec3d61d4f9c00e497c8d70c Mon Sep 17 00:00:00 2001
From: Santosh Sakore <quic_ssakore@quicinc.com>
Date: Sat, 8 Apr 2023 06:58:45 +0530
Subject: [PATCH] msm: adsprpc: Handle UAF in fastrpc_buf_free

Thread T1 add buffer to fl->cached_bufs and release fl->hlock and holding
buffer reference. Now thread T2 will aquire fl->hlock and free buffer in
fastrpc_cached_buf_list_free(). T1 will dereference the freed buffer.
Moving reference buffer uses for T1 inside fl->hlock to avoid UAF.

Change-Id: I5f08d5497099133f87d55f5879cfe50c2ba23ae6
Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
---
 dsp/adsprpc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 mode change 100755 => 100644 dsp/adsprpc.c

diff --git a/dsp/adsprpc.c b/dsp/adsprpc.c
old mode 100755
new mode 100644
index 5dc4d81d3a..65f0df3e56
--- a/dsp/adsprpc.c
+++ b/dsp/adsprpc.c
@@ -714,8 +714,8 @@ static void fastrpc_buf_free(struct fastrpc_buf *buf, int cache)
 		}
 		hlist_add_head(&buf->hn, &fl->cached_bufs);
 		fl->num_cached_buf++;
-		spin_unlock(&fl->hlock);
 		buf->type = -1;
+		spin_unlock(&fl->hlock);
 		return;
 	}
 skip_buf_cache: