From patchwork Thu Mar 7 10:12:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Srinivas Kandagatla X-Patchwork-Id: 10842625 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 82791139A for ; Thu, 7 Mar 2019 10:14:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6AB7C2DF89 for ; Thu, 7 Mar 2019 10:14:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5AF3D2E183; Thu, 7 Mar 2019 10:14:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E6B572DF89 for ; Thu, 7 Mar 2019 10:14:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726293AbfCGKOB (ORCPT ); Thu, 7 Mar 2019 05:14:01 -0500 Received: from mail-wr1-f67.google.com ([209.85.221.67]:37971 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726418AbfCGKNT (ORCPT ); Thu, 7 Mar 2019 05:13:19 -0500 Received: by mail-wr1-f67.google.com with SMTP id g12so16715490wrm.5 for ; Thu, 07 Mar 2019 02:13:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=BN3mETDxO7NCrA/T4tG8om1pvyGRKVieStW75qGQ3Gs=; b=jgKi668EjRONXhMjHjPq8+3uT7o5yYGkQ9wIoIksWJXOPIpPefAZ1jNU6RZmAqNb1N 1zAC0UGzSDI1POOztCGLPgVR55cYHcBT7PDR8K6Elp6XjWxqDxoYIVxbchuJx4FEQW8V z+3eFNJftGE738LHlkVnfKlG8LAW2lBNqYX8EI13xsv0ubkcsY9QHD1ssQIfU6KbK/0y IwgmSItGIf6Nl3pvohJYc+TKqBJGTR0GKN69/RVLKsqW5WVZpMnaXDMqDmuXqn7u3lfZ pyPvfuGmWoM/Rb8gszX4NO21kbKRw43BweTajPHpkCRVBJTvNZhpZNeUlheM9GMu0d4i k5gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BN3mETDxO7NCrA/T4tG8om1pvyGRKVieStW75qGQ3Gs=; b=BrL8KFRsc1cJwWWRlml9Td7K5wgAzERhHq/r21bDj2Sn0OThg1M0P10bs17VCZPfuv gCTlWt+xf7verr1pZw6GzK1VYKLT29Sws1k39HQWZpvV0DpXOMpnm6gSDIZ/3RbEGJJa 01Oy64OmDQ1cqJMZ3aBmfapSJ5VLzo8jn8dGmRIrW6XCyDOB74ePqZ5A/weUutpmiXNg Zxzm+E0RS2uwtoT248bKlmyRrRFIUJTOjJwNvEytiUGzXi5QqpEBCNRNz+fYL2HL2b/l lUo9TjA5Ed8DawLx6UXFnabbaClG3zEE61OfHpyKJPsZFOgkbwcru+dIau+Z1YlvTJIs t4ww== X-Gm-Message-State: APjAAAXEs5Ahp371gcM1IzIg1k9tSlPmw6ocUoEpOvYyuyRWE17HUr9E KUZ7r0sFCCWCmdMp1F6EMU9nXg== X-Google-Smtp-Source: APXvYqwX04gG6I2J+ra4aXaK7H5PR3FYCj++7Mofa0ETtZaTwg7VBxgAnyQg4A0xUJk3r/Jf0i7L5g== X-Received: by 2002:adf:ce90:: with SMTP id r16mr6218993wrn.64.1551953597047; Thu, 07 Mar 2019 02:13:17 -0800 (PST) Received: from srini-hackbox.lan (cpc89974-aztw32-2-0-cust43.18-1.cable.virginm.net. [86.30.250.44]) by smtp.gmail.com with ESMTPSA id n9sm3529767wmi.33.2019.03.07.02.13.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 07 Mar 2019 02:13:16 -0800 (PST) From: Srinivas Kandagatla To: gregkh@linuxfoundation.org, arnd@arndb.de Cc: linux-kernel@vger.kernel.org, bjorn.andersson@linaro.org, bkumar@qti.qualcomm.com, linux-arm-msm@vger.kernel.org, ktadakam@qti.qualcomm.com, Thierry Escande , Srinivas Kandagatla Subject: [PATCH 2/8] misc: fastrpc: Fix a possible double free Date: Thu, 7 Mar 2019 10:12:23 +0000 Message-Id: <20190307101229.7856-3-srinivas.kandagatla@linaro.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190307101229.7856-1-srinivas.kandagatla@linaro.org> References: <20190307101229.7856-1-srinivas.kandagatla@linaro.org> MIME-Version: 1.0 Sender: linux-arm-msm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Thierry Escande This patch fixes the error exit path of fastrpc_init_create_process(). If the DMA allocation or the DSP invoke fails the fastrpc_map was freed but not removed from the mapping list leading to a double free once the mapping list is emptied in fastrpc_device_release(). [srinivas kandagatla]: Cleaned up error path labels and reset init mem to NULL after free Fixes: d73f71c7c6ee("misc: fastrpc: Add support for create remote init process") Signed-off-by: Thierry Escande Signed-off-by: Srinivas Kandagatla --- drivers/misc/fastrpc.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 82e7217ae87a..8fbcc607a77e 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -853,12 +853,12 @@ static int fastrpc_init_create_process(struct fastrpc_user *fl, if (copy_from_user(&init, argp, sizeof(init))) { err = -EFAULT; - goto bail; + goto err; } if (init.filelen > INIT_FILELEN_MAX) { err = -EINVAL; - goto bail; + goto err; } inbuf.pgid = fl->tgid; @@ -872,17 +872,15 @@ static int fastrpc_init_create_process(struct fastrpc_user *fl, if (init.filelen && init.filefd) { err = fastrpc_map_create(fl, init.filefd, init.filelen, &map); if (err) - goto bail; + goto err; } memlen = ALIGN(max(INIT_FILELEN_MAX, (int)init.filelen * 4), 1024 * 1024); err = fastrpc_buf_alloc(fl, fl->sctx->dev, memlen, &imem); - if (err) { - fastrpc_map_put(map); - goto bail; - } + if (err) + goto err_alloc; fl->init_mem = imem; args[0].ptr = (u64)(uintptr_t)&inbuf; @@ -918,13 +916,24 @@ static int fastrpc_init_create_process(struct fastrpc_user *fl, err = fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE, sc, args); + if (err) + goto err_invoke; - if (err) { + kfree(args); + + return 0; + +err_invoke: + fl->init_mem = NULL; + fastrpc_buf_free(imem); +err_alloc: + if (map) { + spin_lock(&fl->lock); + list_del(&map->node); + spin_unlock(&fl->lock); fastrpc_map_put(map); - fastrpc_buf_free(imem); } - -bail: +err: kfree(args); return err;