This patch fixes following issues: 1. pDMMRes was dereferenced and modified when it was already freed by PROC_Ummap(). This results in memory corruption.
2.Instead of passing ulDSPAddr, ulDSPResAddr was passed to PROC_UnMap() which will not retrieve correct DMMRes element. Signed-off-by: Ameya Palande <[email protected]> --- drivers/dsp/bridge/rmgr/drv.c | 15 +++++---------- 1 files changed, 5 insertions(+), 10 deletions(-) diff --git a/drivers/dsp/bridge/rmgr/drv.c b/drivers/dsp/bridge/rmgr/drv.c index 9d5c077..747b34c 100644 --- a/drivers/dsp/bridge/rmgr/drv.c +++ b/drivers/dsp/bridge/rmgr/drv.c @@ -273,11 +273,14 @@ DSP_STATUS DRV_ProcFreeDMMRes(HANDLE hPCtxt) pDMMList = pDMMList->next; if (pDMMRes->dmmAllocated) { status = PROC_UnMap(pDMMRes->hProcessor, - (void *)pDMMRes->ulDSPResAddr, pCtxt); + (void *)pDMMRes->ulDSPAddr, pCtxt); + /* + * PROC_UnMap has freed pDMMRes pointer, so don't access + * it now + */ if (DSP_FAILED(status)) pr_debug("%s: PROC_UnMap failed! status =" " 0x%xn", __func__, status); - pDMMRes->dmmAllocated = 0; } } return status; @@ -288,17 +291,9 @@ DSP_STATUS DRV_RemoveAllDMMResElements(HANDLE hPCtxt) { struct PROCESS_CONTEXT *pCtxt = (struct PROCESS_CONTEXT *)hPCtxt; DSP_STATUS status = DSP_SOK; - struct DMM_MAP_OBJECT *pTempDMMRes2 = NULL; - struct DMM_MAP_OBJECT *pTempDMMRes = NULL; struct DMM_RSV_OBJECT *temp, *rsv_obj; DRV_ProcFreeDMMRes(pCtxt); - pTempDMMRes = pCtxt->dmm_map_list; - while (pTempDMMRes != NULL) { - pTempDMMRes2 = pTempDMMRes; - pTempDMMRes = pTempDMMRes->next; - kfree(pTempDMMRes2); - } pCtxt->dmm_map_list = NULL; /* Free DMM reserved memory resources */ -- 1.6.3.3 -- To unsubscribe from this list: send the line "unsubscribe linux-omap" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
