msm: npu: Fix use after free issue

There is possibility that network will be used after free. This change is to fix this issue. Change-Id: Iac85b733119aef8dfc5193984fbb2cdca663568a Signed-off-by: Jilai Wang <[email protected]>
tejas101k · Oct 16, 2023 · fefe5d4 · fefe5d4
1 parent f0342a4
commit fefe5d4
Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/drivers/media/platform/msm/npu_v2/npu_mgr.c b/drivers/media/platform/msm/npu_v2/npu_mgr.c
@@ -2556,6 +2556,13 @@ int32_t npu_host_unload_network(struct npu_client *client,
 		return -EINVAL;
 	}
 
+	if (network->is_unloading) {
+		NPU_ERR("network is unloading\n");
+		network_put(network);
+		mutex_unlock(&host_ctx->lock);
+		return -EINVAL;
+	}
+
 	if (!network->is_active) {
 		NPU_ERR("network is not active\n");
 		network_put(network);
@@ -2573,6 +2580,8 @@ int32_t npu_host_unload_network(struct npu_client *client,
 		goto free_network;
 	}
 
+	network->is_unloading = true;
+
 	NPU_DBG("Unload network %lld\n", network->id);
 	/* prepare IPC packet for UNLOAD */
 	unload_packet.header.cmd_type = NPU_IPC_CMD_UNLOAD;
@@ -2703,6 +2712,11 @@ int32_t npu_host_exec_network_v2(struct npu_client *client,
 		return -EINVAL;
 	}
 
+	if (network->is_unloading) {
+		NPU_ERR("network is unloading\n");
+		ret = -EINVAL;
+		goto exec_v2_done;
+	}
 	if (!network->is_active) {
 		NPU_ERR("network is not active\n");
 		ret = -EINVAL;

diff --git a/drivers/media/platform/msm/npu_v2/npu_mgr.h b/drivers/media/platform/msm/npu_v2/npu_mgr.h
@@ -91,6 +91,7 @@ struct npu_network {
 	atomic_t ref_cnt;
 	bool is_valid;
 	bool is_active;
+	bool is_unloading;
 	bool fw_error;
 	struct npu_client *client;
 	struct list_head cmd_list;