msm: adsprpc: Handle UAF in fastrpc_buf_free
Thread T1 add buffer to fl->cached_bufs and release fl->hlock and holding buffer reference. Now thread T2 will aquire fl->hlock and free buffer in fastrpc_cached_buf_list_free(). T1 will dereference the freed buffer. Moving reference buffer uses for T1 inside fl->hlock to avoid UAF. Change-Id: I5f08d5497099133f87d55f5879cfe50c2ba23ae6 Signed-off-by: Santosh Sakore <quic_ssakore@quicinc.com>
This commit is contained in:
Santosh Sakore
committed by
Gerrit - the friendly Code Review server
Gerrit - the friendly Code Review server
parent
27d9053c28
commit
a2f9f978b1
2
dsp/adsprpc.c
Executable file → Normal file
2
dsp/adsprpc.c
Executable file → Normal file
@@ -714,8 +714,8 @@ static void fastrpc_buf_free(struct fastrpc_buf *buf, int cache)
|
|||||||
}
|
}
|
||||||
hlist_add_head(&buf->hn, &fl->cached_bufs);
|
hlist_add_head(&buf->hn, &fl->cached_bufs);
|
||||||
fl->num_cached_buf++;
|
fl->num_cached_buf++;
|
||||||
spin_unlock(&fl->hlock);
|
|
||||||
buf->type = -1;
|
buf->type = -1;
|
||||||
|
spin_unlock(&fl->hlock);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
skip_buf_cache:
|
skip_buf_cache:
|
||||||
|
|||||||
Reference in New Issue
Block a user