This patch fixes following issues:
1. pDMMRes was dereferenced and modified when it was already freed by
PROC_Ummap(). This results in memory corruption.
2. Instead of passing ulDSPAddr, ulDSPResAddr was passed to PROC_UnMap()
which will not retrieve correct DMMRes element.
Signed-off-by: Ameya Palande <ameya.pala...@nokia.com>
Signed-off-by: Felipe Contreras <felipe.contre...@nokia.com>
---
drivers/dsp/bridge/rmgr/drv.c | 12 ++----------
1 files changed, 2 insertions(+), 10 deletions(-)
diff --git a/drivers/dsp/bridge/rmgr/drv.c b/drivers/dsp/bridge/rmgr/drv.c
index 12ba7e0..b88b5a3 100644
--- a/drivers/dsp/bridge/rmgr/drv.c
+++ b/drivers/dsp/bridge/rmgr/drv.c
@@ -293,12 +293,12 @@ DSP_STATUS DRV_ProcFreeDMMRes(HANDLE hPCtxt)
pDMMRes = pDMMList;
pDMMList = pDMMList->next;
if (pDMMRes->dmmAllocated) {
+ /* PROC_UnMap will free pDMMRes pointer */
status = PROC_UnMap(pDMMRes->hProcessor,
- (void *)pDMMRes->ulDSPResAddr, pCtxt);
+ (void *)pDMMRes->ulDSPAddr, pCtxt);
if (DSP_FAILED(status))
pr_debug("%s: PROC_UnMap failed! status ="
" 0x%xn", __func__, status);
- pDMMRes->dmmAllocated = 0;
}
}
return status;
@@ -309,17 +309,9 @@ DSP_STATUS DRV_RemoveAllDMMResElements(HANDLE hPCtxt)
{
struct PROCESS_CONTEXT *pCtxt = (struct PROCESS_CONTEXT *)hPCtxt;
DSP_STATUS status = DSP_SOK;
- struct DMM_MAP_OBJECT *pTempDMMRes2 = NULL;
- struct DMM_MAP_OBJECT *pTempDMMRes = NULL;
struct DMM_RSV_OBJECT *temp, *rsv_obj;
DRV_ProcFreeDMMRes(pCtxt);
- pTempDMMRes = pCtxt->dmm_map_list;
- while (pTempDMMRes != NULL) {
- pTempDMMRes2 = pTempDMMRes;
- pTempDMMRes = pTempDMMRes->next;
- kfree(pTempDMMRes2);
- }
pCtxt->dmm_map_list = NULL;
/* Free DMM reserved memory resources */
--
1.6.3.3
--
To unsubscribe from this list: send the line "unsubscribe linux-omap" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
