soc: hgsl: fix race of isync fence release (bd2c568d) · Commits · CodeLinaro / la / kernel / msm-5.15

Commit bd2c568d authored 1 year ago by Hui Li Committed by Xueshi Shi 1 year ago

soc: hgsl: fix race of isync fence release


- In isync timeline destruct, fence move to free list from child list
may happens before child list delete in fence release, after isync
fence released, the fence object may still be accessed in timeline
destruct, there will be a UAF issue.

Check the fence refcount before delete fence from child list in isync
timeline destruct.

- In isync fence create, a malicious user may close the fence fd
right after fd is installed, and the fence release may be invoked
before we add fence to the list, then there will be a UAF issue.

Move the dma_fence_put after add fence to the list.

- Correct the isync fence object free.

Change-Id: Ib1ac7e055d8e8a2ece24d7fd03e4e0a45063f815
Signed-off-by: Hui Li <quic_hul@quicinc.com>
(cherry picked from commit e91a8331)

parent 6e8c60ef

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 10 additions and 8 deletions

Please register or to comment