From e2cfdde491698cf833e922e680935ce1f6c7528c Mon Sep 17 00:00:00 2001 From: Abhishek Singh Date: Fri, 21 Jun 2024 16:04:09 +0530 Subject: [PATCH] dsp-kernel: Do not search the global map in the process-specific list If a user makes the ioctl call for the fastrpc_internal_mmap with the global map flag, fd, and va corresponding to some map already present in the process-specific list, then this map present in the process- specific list could be added to the global list. Because global maps are also searched in the process-specific list. If a map gets removed from the global list and another concurrent thread is using the same map for a process-specific use case, it could lead to a use-after-free. Avoid searching the global map in the process-specific list. Change-Id: I59c820eb984945d39cd6e4b163307ea43ee4d2f4 Signed-off-by: Abhishek Singh --- dsp/adsprpc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dsp/adsprpc.c b/dsp/adsprpc.c index ed8419cf77..50d9e83629 100644 --- a/dsp/adsprpc.c +++ b/dsp/adsprpc.c @@ -852,7 +852,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, if ((va + len) < va) return -EFAULT; - if (mflags == ADSP_MMAP_DMA_BUFFER) { + if ((mflags == ADSP_MMAP_HEAP_ADDR) || + (mflags == ADSP_MMAP_REMOTE_HEAP_ADDR)) { + return -EFAULT; + } else if (mflags == ADSP_MMAP_DMA_BUFFER) { hlist_for_each_entry_safe(map, n, &fl->maps, hn) { if (map->buf == buf) { if (refs) {