Skip to content
Snippets Groups Projects
Commit 7aef45fd authored by josh_hsu's avatar josh_hsu Committed by Carol_Jiang
Browse files

anthias: mdss: security patch CVE-2015-8943

msm: mdss: Unmap only when buffer was mapped
Currently buffer is unmapped if iommu is attached.
This can lead to potential unmap issues if wrong
addresses are sent and are tried to unmap without
mapping. Hence ensure unmap is done only when
buffer is mapped.

Change-Id: I339d6aefa501cda0ed0cf8f6b9c516b64d892b82
Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/248994


Reviewed-by: default avatarCarol_Jiang <carol_jiang@asus.com>
Tested-by: default avatarCarol_Jiang <carol_jiang@asus.com>
parent 8074db33
No related merge requests found
......@@ -289,6 +289,7 @@ struct mdss_mdp_img_data {
unsigned long len;
u32 flags;
int p_need;
bool mapped;
struct file *srcp_file;
struct ion_handle *srcp_ihdl;
};
......
......@@ -513,7 +513,7 @@ int mdss_mdp_put_img(struct mdss_mdp_img_data *data)
pr_err("invalid ion client\n");
return -ENOMEM;
} else {
if (is_mdss_iommu_attached()) {
if (data->mapped) {
int domain;
if (data->flags & MDP_SECURE_OVERLAY_SESSION)
domain = MDSS_IOMMU_DOMAIN_SECURE;
......@@ -526,6 +526,7 @@ int mdss_mdp_put_img(struct mdss_mdp_img_data *data)
msm_ion_unsecure_buffer(iclient,
data->srcp_ihdl);
}
data->mapped = false;
}
ion_free(iclient, data->srcp_ihdl);
data->srcp_ihdl = NULL;
......@@ -605,6 +606,7 @@ int mdss_mdp_get_img(struct msmfb_data *img, struct mdss_mdp_img_data *data)
if (ret && (domain == MDSS_IOMMU_DOMAIN_SECURE))
msm_ion_unsecure_buffer(iclient,
data->srcp_ihdl);
data->mapped = true;
} else {
ret = ion_phys(iclient, data->srcp_ihdl, start,
(size_t *) len);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment