diff options
| author | Krishna Manikandan <mkrishn@codeaurora.org> | 2021-06-23 11:47:16 +0530 |
|---|---|---|
| committer | Joey Lin <linjoey@google.com> | 2022-01-27 08:58:59 +0000 |
| commit | 3609ed8847482d93dcec0ee4a4e771848f1af396 (patch) | |
| tree | d9edd1b89f1d5c43a18f151ff35e6f3a0d930724 | |
| parent | 4a9a34b444975776aa275f729f33cd7bdf151a6a (diff) | |
| download | display-drivers-3609ed8847482d93dcec0ee4a4e771848f1af396.tar.gz | |
disp: msm: sde: add null check for drm file in msm_release
Drm file is not set to NULL after freeing it from drm
release. This can result in use-after-free issues in
some scenarios. Add a mutex lock and other proper null
checks to prevent such issues.
Bug:213239835
Change-Id: Ic35b0a76166b0f47a354b1737e6f4c3ac1437ed4
Signed-off-by: Krishna Manikandan <mkrishn@codeaurora.org>
Signed-off-by: Althaf Neelanchirayil <aneelanc@codeaurora.org>
Signed-off-by: linjoey <linjoey@google.com>
| -rw-r--r-- | msm/msm_drv.c | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/msm/msm_drv.c b/msm/msm_drv.c index 0ab8b1f0..2b219cda 100644 --- a/msm/msm_drv.c +++ b/msm/msm_drv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2016-2021, The Linux Foundation. All rights reserved. * Copyright (C) 2013 Red Hat * Author: Rob Clark <robdclark@gmail.com> * @@ -65,6 +65,8 @@ #define IDLE_ENCODER_MASK_DEFAULT 1 #define IDLE_TIMEOUT_MS_DEFAULT 100 +static DEFINE_MUTEX(msm_release_lock); + static void msm_fb_output_poll_changed(struct drm_device *dev) { struct msm_drm_private *priv = NULL; @@ -1621,13 +1623,25 @@ void msm_mode_object_event_notify(struct drm_mode_object *obj, static int msm_release(struct inode *inode, struct file *filp) { struct drm_file *file_priv = filp->private_data; - struct drm_minor *minor = file_priv->minor; - struct drm_device *dev = minor->dev; - struct msm_drm_private *priv = dev->dev_private; + struct drm_minor *minor; + struct drm_device *dev; + struct msm_drm_private *priv; struct msm_drm_event *node, *temp, *tmp_node; u32 count; unsigned long flags; LIST_HEAD(tmp_head); + int ret = 0; + + mutex_lock(&msm_release_lock); + + if (!file_priv) { + ret = -EINVAL; + goto end; + } + + minor = file_priv->minor; + dev = minor->dev; + priv = dev->dev_private; spin_lock_irqsave(&dev->event_lock, flags); list_for_each_entry_safe(node, temp, &priv->client_event_list, @@ -1664,7 +1678,11 @@ static int msm_release(struct inode *inode, struct file *filp) */ msm_preclose(dev, file_priv); - return drm_release(inode, filp); + ret = drm_release(inode, filp); + filp->private_data = NULL; +end: + mutex_unlock(&msm_release_lock); + return ret; } /** |