OrgACRN
/
acrn-kernel
mirror of https://github.com/projectacrn/acrn-kernel.git
1
0
Fork 0
Code Issues Releases Wiki Activity

drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl 

If it is async, runqueue_node is freed in g2d_runqueue_worker on another
worker thread. So in extreme cases, if g2d_runqueue_worker runs first, and
then executes the following if statement, there will be use-after-free.

Signed-off-by: Min Li <lm0963hack@gmail.com>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
This commit is contained in:
Min Li 2023-05-26 21:01:31 +08:00 committed by Inki Dae
parent 4a05955980
commit 48bfd02569
No known key found for this signature in database
GPG Key ID: 64C67166D9D46D09
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/gpu/drm/exynos/exynos_drm_g2d.c
View File

@ -1335,7 +1335,7 @@ int exynos_g2d_exec_ioctl(struct drm_device *drm_dev, void *data,
/* Let the runqueue know that there is work to do. */
queue_work(g2d->g2d_workq, &g2d->runqueue_work);
if (runqueue_node->async)
if (req->async)
goto out;
wait_for_completion(&runqueue_node->complete);