diff options
| author | Ariel Yin <ayin@google.com> | 2017-06-29 10:39:11 -0700 |
|---|---|---|
| committer | Ariel Yin <ayin@google.com> | 2017-06-29 10:39:11 -0700 |
| commit | 703b1b827c09cac0767a5c2af06b22b8a80e1abf (patch) | |
| tree | d15f97e49944919e69482972982ad23e15819798 | |
| parent | b67faa98c81b55bc56d4696f2951f3dd001bf841 (diff) | |
msm: mdss:To fix race condition during mdp debugfs releaseandroid-lego-7.1.1_r0.6
To fix race condition in the release of the mdp debugfs functions
panel_debug_base_release and mdss_debug_base_release by adding
the lock for unpreempted freeing of the buffer so that multiple
concurrent processes cannot affect the release which can possibly
lead to use-after-free operation on the buffer.
Bug: 33863407
Change-Id: I348de6408b5fe7d41d9671c4d0956c0944f828bb
| -rw-r--r-- | drivers/video/msm/mdss/mdss_debug.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c index 868883e9d5dd..a10af05d6faf 100644 --- a/drivers/video/msm/mdss/mdss_debug.c +++ b/drivers/video/msm/mdss/mdss_debug.c @@ -54,11 +54,13 @@ static int panel_debug_base_open(struct inode *inode, struct file *file) static int panel_debug_base_release(struct inode *inode, struct file *file) { struct mdss_debug_base *dbg = file->private_data; + mutex_lock(&mdss_debug_lock); if (dbg && dbg->buf) { kfree(dbg->buf); dbg->buf_len = 0; dbg->buf = NULL; } + mutex_unlock(&mdss_debug_lock); return 0; } @@ -353,11 +355,13 @@ static int mdss_debug_base_open(struct inode *inode, struct file *file) static int mdss_debug_base_release(struct inode *inode, struct file *file) { struct mdss_debug_base *dbg = file->private_data; + mutex_lock(&mdss_debug_lock); if (dbg && dbg->buf) { kfree(dbg->buf); dbg->buf_len = 0; dbg->buf = NULL; } + mutex_unlock(&mdss_debug_lock); return 0; } |