This patch fixes following issues:
1. pDMMRes was dereferenced and modified when it was already freed by
PROC_Ummap(). This results in memory corruption.
2.Instead of passing ulDSPAddr, ulDSPResAddr was passed to PROC_UnMap()
which will not retrieve correct DMMRes element.
Signed-off-by: Ameya Palande <ameya.palande@xxxxxxxxx>
---
drivers/dsp/bridge/rmgr/drv.c | 15 +++++----------
1 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/drivers/dsp/bridge/rmgr/drv.c b/drivers/dsp/bridge/rmgr/drv.c
index 9d5c077..747b34c 100644
--- a/drivers/dsp/bridge/rmgr/drv.c
+++ b/drivers/dsp/bridge/rmgr/drv.c
@@ -273,11 +273,14 @@ DSP_STATUS DRV_ProcFreeDMMRes(HANDLE hPCtxt)
pDMMList = pDMMList->next;
if (pDMMRes->dmmAllocated) {
status = PROC_UnMap(pDMMRes->hProcessor,
- (void *)pDMMRes->ulDSPResAddr, pCtxt);
+ (void *)pDMMRes->ulDSPAddr, pCtxt);
+ /*
+ * PROC_UnMap has freed pDMMRes pointer, so don't access
+ * it now
+ */
if (DSP_FAILED(status))
pr_debug("%s: PROC_UnMap failed! status ="
" 0x%xn", __func__, status);
- pDMMRes->dmmAllocated = 0;
}
}
return status;
@@ -288,17 +291,9 @@ DSP_STATUS DRV_RemoveAllDMMResElements(HANDLE hPCtxt)
{
struct PROCESS_CONTEXT *pCtxt = (struct PROCESS_CONTEXT *)hPCtxt;
DSP_STATUS status = DSP_SOK;
- struct DMM_MAP_OBJECT *pTempDMMRes2 = NULL;
- struct DMM_MAP_OBJECT *pTempDMMRes = NULL;
struct DMM_RSV_OBJECT *temp, *rsv_obj;
DRV_ProcFreeDMMRes(pCtxt);
- pTempDMMRes = pCtxt->dmm_map_list;
- while (pTempDMMRes != NULL) {
- pTempDMMRes2 = pTempDMMRes;
- pTempDMMRes = pTempDMMRes->next;
- kfree(pTempDMMRes2);
- }
pCtxt->dmm_map_list = NULL;
/* Free DMM reserved memory resources */
--
1.6.3.3
--
To unsubscribe from this list: send the line "unsubscribe linux-omap" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
