From 10b0cb47e92abe52c5372ded0fe80a5a5f18586f Mon Sep 17 00:00:00 2001 From: Harsh Sahu Date: Thu, 29 Jun 2017 18:50:20 -0700 Subject: [PATCH] msm: mdss: fix the use after free problem in rotator ioctl Currently the fence fd is installed too early. This can cause a use after free problem if the fence fd is closed in some other thread. This change will install the fence fd where it is required and eliminates the problem. Bug: 37478866 Change-Id: I5cf585ea87ef75fccae06da6cb5a6c16fc74eff3 Signed-off-by: Harsh Sahu --- drivers/video/msm/mdss/mdss_rotator.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/video/msm/mdss/mdss_rotator.c b/drivers/video/msm/mdss/mdss_rotator.c index 95ca5b74e2369..5910a69bc844b 100644 --- a/drivers/video/msm/mdss/mdss_rotator.c +++ b/drivers/video/msm/mdss/mdss_rotator.c @@ -375,6 +375,15 @@ static bool mdss_rotator_is_work_pending(struct mdss_rot_mgr *mgr, return false; } +static void mdss_rotator_install_fence_fd(struct mdss_rot_entry_container *req) +{ + int i = 0; + + for (i = 0; i < req->count; i++) + sync_fence_install(req->entries[i].output_fence, + req->entries[i].output_fence_fd); +} + static int mdss_rotator_create_fence(struct mdss_rot_entry *entry) { int ret = 0, fd; @@ -413,7 +422,6 @@ static int mdss_rotator_create_fence(struct mdss_rot_entry *entry) goto get_fd_err; } - sync_fence_install(fence, fd); rot_timeline->next_value++; mutex_unlock(&rot_timeline->lock); @@ -2248,6 +2256,7 @@ static int mdss_rotator_handle_request(struct mdss_rot_mgr *mgr, goto handle_request_err1; } + mdss_rotator_install_fence_fd(req); mdss_rotator_queue_request(mgr, private, req); mutex_unlock(&mgr->lock); @@ -2408,6 +2417,7 @@ static int mdss_rotator_handle_request32(struct mdss_rot_mgr *mgr, goto handle_request32_err1; } + mdss_rotator_install_fence_fd(req); mdss_rotator_queue_request(mgr, private, req); mutex_unlock(&mgr->lock);