misc: fastrpc: fix memory corruption on open
authorJohan Hovold <johan+linaro@kernel.org>
Mon, 29 Aug 2022 08:05:30 +0000 (10:05 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 8 Sep 2022 10:28:04 +0000 (12:28 +0200)
commit d245f43aab2b61195d8ebb64cef7b5a08c590ab4 upstream.

The probe session-duplication overflow check incremented the session
count also when there were no more available sessions so that memory
beyond the fixed-size slab-allocated session array could be corrupted in
fastrpc_session_alloc() on open().

Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model")
Cc: stable@vger.kernel.org # 5.1
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20220829080531.29681-3-johan+linaro@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/misc/fastrpc.c

index cbb90e0..cf57057 100644 (file)
@@ -1555,7 +1555,7 @@ static int fastrpc_cb_probe(struct platform_device *pdev)
                spin_unlock_irqrestore(&cctx->lock, flags);
                return -ENOSPC;
        }
-       sess = &cctx->session[cctx->sesscount];
+       sess = &cctx->session[cctx->sesscount++];
        sess->used = false;
        sess->valid = true;
        sess->dev = dev;
@@ -1568,13 +1568,12 @@ static int fastrpc_cb_probe(struct platform_device *pdev)
                struct fastrpc_session_ctx *dup_sess;
 
                for (i = 1; i < sessions; i++) {
-                       if (cctx->sesscount++ >= FASTRPC_MAX_SESSIONS)
+                       if (cctx->sesscount >= FASTRPC_MAX_SESSIONS)
                                break;
-                       dup_sess = &cctx->session[cctx->sesscount];
+                       dup_sess = &cctx->session[cctx->sesscount++];
                        memcpy(dup_sess, sess, sizeof(*dup_sess));
                }
        }
-       cctx->sesscount++;
        spin_unlock_irqrestore(&cctx->lock, flags);
        rc = dma_set_mask(dev, DMA_BIT_MASK(32));
        if (rc) {