Skip to content

Commit 3f1282e

Browse files
sgaud-quicsgaud-quic
authored
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context (#594)
misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
2 parents 5827f01 + b3036d0 commit 3f1282e

1 file changed

Lines changed: 21 additions & 18 deletions

File tree

drivers/misc/fastrpc.c

Lines changed: 21 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -502,9 +502,30 @@ static void fastrpc_channel_ctx_put(struct fastrpc_channel_ctx *cctx)
502502
kref_put(&cctx->refcount, fastrpc_channel_ctx_free);
503503
}
504504

505+
static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx);
506+
505507
static void fastrpc_user_free(struct kref *ref)
506508
{
507509
struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount);
510+
struct fastrpc_invoke_ctx *ctx, *n;
511+
struct fastrpc_map *map, *m;
512+
struct fastrpc_buf *buf, *b;
513+
514+
if (fl->init_mem)
515+
fastrpc_buf_free(fl->init_mem);
516+
517+
list_for_each_entry_safe(ctx, n, &fl->pending, node) {
518+
list_del(&ctx->node);
519+
fastrpc_context_put(ctx);
520+
}
521+
522+
list_for_each_entry_safe(map, m, &fl->maps, node)
523+
fastrpc_map_put(map);
524+
525+
list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
526+
list_del(&buf->node);
527+
fastrpc_buf_free(buf);
528+
}
508529

509530
fastrpc_channel_ctx_put(fl->cctx);
510531
mutex_destroy(&fl->mutex);
@@ -1655,9 +1676,6 @@ static int fastrpc_device_release(struct inode *inode, struct file *file)
16551676
{
16561677
struct fastrpc_user *fl = (struct fastrpc_user *)file->private_data;
16571678
struct fastrpc_channel_ctx *cctx = fl->cctx;
1658-
struct fastrpc_invoke_ctx *ctx, *n;
1659-
struct fastrpc_map *map, *m;
1660-
struct fastrpc_buf *buf, *b;
16611679
unsigned long flags;
16621680

16631681
fastrpc_release_current_dsp_process(fl);
@@ -1666,21 +1684,6 @@ static int fastrpc_device_release(struct inode *inode, struct file *file)
16661684
list_del(&fl->user);
16671685
spin_unlock_irqrestore(&cctx->lock, flags);
16681686

1669-
fastrpc_buf_free(fl->init_mem);
1670-
1671-
list_for_each_entry_safe(ctx, n, &fl->pending, node) {
1672-
list_del(&ctx->node);
1673-
fastrpc_context_put(ctx);
1674-
}
1675-
1676-
list_for_each_entry_safe(map, m, &fl->maps, node)
1677-
fastrpc_map_put(map);
1678-
1679-
list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
1680-
list_del(&buf->node);
1681-
fastrpc_buf_free(buf);
1682-
}
1683-
16841687
fastrpc_session_free(cctx, fl->sctx);
16851688
file->private_data = NULL;
16861689
/* Release the reference taken in fastrpc_device_open */

0 commit comments

Comments
 (0)