samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "msm: camera: sync: Avoiding UAF on get dma fence" into camera-kernel.lnx.7.0

Browse Source
This commit is contained in:
Camera Software Integration
2024-04-28 22:44:10 -07:00
committed by Gerrit - the friendly Code Review server
parent 1aa641e0f3 96ff7cbcd8
commit 88daa83530
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
drivers/cam_sync/cam_sync_dma_fence.c
View File

@@ -330,6 +330,7 @@ struct dma_fence *cam_dma_fence_get_fence_from_fd(
int32_t fd, int32_t *dma_fence_row_idx)
{
struct dma_fence *dma_fence = NULL;
struct cam_dma_fence_row *row;
dma_fence = __cam_dma_fence_find_fence_in_table(fd, dma_fence_row_idx);
if (IS_ERR_OR_NULL(dma_fence)) {
@@ -339,7 +340,19 @@ struct dma_fence *cam_dma_fence_get_fence_from_fd(
return cam_dma_fence_get_fence_from_sync_file(fd, dma_fence_row_idx);
}
spin_lock_bh(&g_cam_dma_fence_dev->row_spinlocks[*dma_fence_row_idx]);
row = &g_cam_dma_fence_dev->rows[*dma_fence_row_idx];
if (row->state == CAM_DMA_FENCE_STATE_INVALID) {
CAM_ERR(CAM_DMA_FENCE,
"dma fence at idx: %d is in invalid state: %d",
dma_fence_row_idx, row->state);
spin_unlock_bh(&g_cam_dma_fence_dev->row_spinlocks[*dma_fence_row_idx]);
return ERR_PTR(-EINVAL);
}
dma_fence_get(dma_fence);
spin_unlock_bh(&g_cam_dma_fence_dev->row_spinlocks[*dma_fence_row_idx]);
CAM_DBG(CAM_DMA_FENCE, "dma fence found for fd: %d with seqno: %llu ref_cnt: %u",
fd, dma_fence->seqno, kref_read(&dma_fence->refcount));