From 64e4e29356928bea60ae4be5b387eb7d8d7a7f45 Mon Sep 17 00:00:00 2001 From: Harsh Sahu Date: Thu, 13 Apr 2017 15:38:46 -0700 Subject: msm: mdss: fix race condition during mdp debugfs release Fix race condition in the release of the mdp debugfs functions panel_debug_base_release and mdss_debug_base_release by adding the lock for unpreempted freeing of the buffer so that multiple concurrent processes cannot affect the release which can possibly lead to use-after-free operation on the buffer. Change-Id: I9586081b65ae2eb0e7f6e30c606ee748ae9ef7e8 Signed-off-by: Harsh Sahu --- drivers/video/fbdev/msm/mdss_debug.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/video/fbdev/msm/mdss_debug.c b/drivers/video/fbdev/msm/mdss_debug.c index e6086914..0ecf1ef 100644 --- a/drivers/video/fbdev/msm/mdss_debug.c +++ b/drivers/video/fbdev/msm/mdss_debug.c @@ -59,11 +59,13 @@ static int panel_debug_base_open(struct inode *inode, struct file *file) static int panel_debug_base_release(struct inode *inode, struct file *file) { struct mdss_debug_base *dbg = file->private_data; + mutex_lock(&mdss_debug_lock); if (dbg && dbg->buf) { kfree(dbg->buf); dbg->buf_len = 0; dbg->buf = NULL; } + mutex_unlock(&mdss_debug_lock); return 0; } @@ -385,11 +387,13 @@ static int mdss_debug_base_open(struct inode *inode, struct file *file) static int mdss_debug_base_release(struct inode *inode, struct file *file) { struct mdss_debug_base *dbg = file->private_data; + mutex_lock(&mdss_debug_lock); if (dbg && dbg->buf) { kfree(dbg->buf); dbg->buf_len = 0; dbg->buf = NULL; } + mutex_unlock(&mdss_debug_lock); return 0; } -- cgit v1.1