Skip to content

Commit

Permalink
drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
Browse files Browse the repository at this point in the history 
[ Upstream commit 48bfd02 ]

If it is async, runqueue_node is freed in g2d_runqueue_worker on another
worker thread. So in extreme cases, if g2d_runqueue_worker runs first, and
then executes the following if statement, there will be use-after-free.

Signed-off-by: Min Li <lm0963hack@gmail.com>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
Min Li authored and Greg Kroah-Hartman committed Jun 28, 2023
1 parent 29874d1 commit a5dda6e
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/gpu/drm/exynos/exynos_drm_g2d.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1327,7 +1327,7 @@ int exynos_g2d_exec_ioctl(struct drm_device *drm_dev, void *data,
/* Let the runqueue know that there is work to do. */
queue_work(g2d->g2d_workq, &g2d->runqueue_work);

if (runqueue_node->async)
if (req->async)
goto out;

wait_for_completion(&runqueue_node->complete);
Expand Down

0 comments on commit a5dda6e

Please sign in to comment.