msm: kgsl: Fix possible use-after-free while adding context to active list
Consider a scenario where a context is valid when the check is made in adreno_dispatcher_queue_cmds(), but by the time we reach _track_context(), context has been detached. We would try to delete the entry from the active context list as part of detaching the context though the entry is not added yet. Now in _track_context() the context is actually added. When the context is finally destroyed, we would be left with invalid entry in the list. Next time when a context is added, an attempt would be made to use a freed entry. Fix this by moving the entry deletion part under drawctxt lock. Change-Id: Idab7cbf10987598b3e6395b2d50c20d1990d1f02 Signed-off-by: Puranam V G Tejaswi <pvgtejas@codeaurora.org>
This commit is contained in:
Puranam V G Tejaswi
parent
346ce0bbcb
commit
c00013d06f
1 changed files with 3 additions and 2 deletions
|
|
@ -1,6 +1,6 @@
|
|||
// SPDX-License-Identifier: GPL-2.0-only
|
||||
/*
|
||||
* Copyright (c) 2002,2007-2019, The Linux Foundation. All rights reserved.
|
||||
* Copyright (c) 2002,2007-2020, The Linux Foundation. All rights reserved.
|
||||
*/
|
||||
|
||||
#include <linux/debugfs.h>
|
||||
|
|
@ -475,11 +475,12 @@ void adreno_drawctxt_detach(struct kgsl_context *context)
|
|||
drawctxt = ADRENO_CONTEXT(context);
|
||||
rb = drawctxt->rb;
|
||||
|
||||
spin_lock(&drawctxt->lock);
|
||||
|
||||
spin_lock(&adreno_dev->active_list_lock);
|
||||
list_del_init(&drawctxt->active_node);
|
||||
spin_unlock(&adreno_dev->active_list_lock);
|
||||
|
||||
spin_lock(&drawctxt->lock);
|
||||
count = drawctxt_detach_drawobjs(drawctxt, list);
|
||||
spin_unlock(&drawctxt->lock);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue