Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-09-20 12:44:44 -04:00
Code Issues Projects Releases Packages Wiki Activity

Switch to new CVE patchset

Browse source
This commit is contained in:
Tad 2017-11-07 17:32:46 -05:00
parent 57ce42402b
commit 11c7037780
1215 changed files with 60697 additions and 14533 deletions
Download patch file Download diff file Expand all files Collapse all files

52
Patches/Linux_CVEs/CVE-2017-8266/4.4/0002.patch Normal file
View file

@ -0,0 +1,52 @@
From 64e4e29356928bea60ae4be5b387eb7d8d7a7f45 Mon Sep 17 00:00:00 2001
From: Harsh Sahu <hsahu@codeaurora.org>
Date: Thu, 13 Apr 2017 15:38:46 -0700
Subject: msm: mdss: fix race condition during mdp debugfs release
Fix race condition in the release of the mdp debugfs functions
panel_debug_base_release and mdss_debug_base_release by adding
the lock for unpreempted freeing of the buffer so that multiple
concurrent processes cannot affect the release which can possibly
lead to use-after-free operation on the buffer.
Change-Id: I9586081b65ae2eb0e7f6e30c606ee748ae9ef7e8
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
---
drivers/video/fbdev/msm/mdss_debug.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/video/fbdev/msm/mdss_debug.c b/drivers/video/fbdev/msm/mdss_debug.c
index e6086914..0ecf1ef 100644
--- a/drivers/video/fbdev/msm/mdss_debug.c
+++ b/drivers/video/fbdev/msm/mdss_debug.c
@@ -59,11 +59,13 @@ static int panel_debug_base_open(struct inode *inode, struct file *file)
static int panel_debug_base_release(struct inode *inode, struct file *file)
{
struct mdss_debug_base *dbg = file->private_data;
+ mutex_lock(&mdss_debug_lock);
if (dbg && dbg->buf) {
kfree(dbg->buf);
dbg->buf_len = 0;
dbg->buf = NULL;
}
+ mutex_unlock(&mdss_debug_lock);
return 0;
}
@@ -385,11 +387,13 @@ static int mdss_debug_base_open(struct inode *inode, struct file *file)
static int mdss_debug_base_release(struct inode *inode, struct file *file)
{
struct mdss_debug_base *dbg = file->private_data;
+ mutex_lock(&mdss_debug_lock);
if (dbg && dbg->buf) {
kfree(dbg->buf);
dbg->buf_len = 0;
dbg->buf = NULL;
}
+ mutex_unlock(&mdss_debug_lock);
return 0;
}
--
cgit v1.1