samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
複製 0
程式碼 問題管理 合併請求 Actions Packages Projects 版本發佈 Wiki Activity

disp: msm: sde: add event to event_list after register is successful

瀏覽代碼 
Add event to event_list after msm_register_event is successful to avoid
use-after-free vulnerability.

Change-Id: I34fb39c99051978cbab64a852851964691a5ea9e
Signed-off-by: Ping Li <pingli@codeaurora.org>
This commit is contained in:
Ping Li
2020-09-10 13:17:32 -07:00
committed by Gerrit - the friendly Code Review server
父節點 76a1d81e9d
當前提交 97a5b52ebd
共有 1 個文件被更改,包括 12 次插入9 次删除
Download Patch File Download Diff File Expand all files Collapse all files

21
msm/msm_drv.c
查看文件

@@ -1351,24 +1351,27 @@ static int msm_ioctl_register_event(struct drm_device *dev, void *data,
* calls add to client list and return.
*/
count = msm_event_client_count(dev, req_event, false);
/* Add current client to list */
spin_lock_irqsave(&dev->event_lock, flag);
list_add_tail(&client->base.link, &priv->client_event_list);
spin_unlock_irqrestore(&dev->event_lock, flag);
if (count)
if (count) {
/* Add current client to list */
spin_lock_irqsave(&dev->event_lock, flag);
list_add_tail(&client->base.link, &priv->client_event_list);
spin_unlock_irqrestore(&dev->event_lock, flag);
return 0;
}
ret = msm_register_event(dev, req_event, file, true);
if (ret) {
DRM_ERROR("failed to enable event %x object %x object id %d\n",
req_event->event, req_event->object_type,
req_event->object_id);
spin_lock_irqsave(&dev->event_lock, flag);
list_del(&client->base.link);
spin_unlock_irqrestore(&dev->event_lock, flag);
kfree(client);
} else {
/* Add current client to list */
spin_lock_irqsave(&dev->event_lock, flag);
list_add_tail(&client->base.link, &priv->client_event_list);
spin_unlock_irqrestore(&dev->event_lock, flag);
}
return ret;
}