From 703b1b827c09cac0767a5c2af06b22b8a80e1abf Mon Sep 17 00:00:00 2001
From: Ariel Yin <ayin@google.com>
Date: Thu, 29 Jun 2017 10:39:11 -0700
Subject: [PATCH] msm: mdss:To fix race condition during mdp debugfs release

To fix race condition in the release of the mdp debugfs functions
panel_debug_base_release and mdss_debug_base_release by adding
the lock for unpreempted freeing of the buffer so that multiple
concurrent processes cannot affect the release which can possibly
lead to use-after-free operation on the buffer.

Bug: 33863407
Change-Id: I348de6408b5fe7d41d9671c4d0956c0944f828bb
---
 drivers/video/msm/mdss/mdss_debug.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
index 868883e9d5dd..a10af05d6faf 100644
--- a/drivers/video/msm/mdss/mdss_debug.c
+++ b/drivers/video/msm/mdss/mdss_debug.c
@@ -54,11 +54,13 @@ static int panel_debug_base_open(struct inode *inode, struct file *file)
 static int panel_debug_base_release(struct inode *inode, struct file *file)
 {
 	struct mdss_debug_base *dbg = file->private_data;
+	mutex_lock(&mdss_debug_lock);
 	if (dbg && dbg->buf) {
 		kfree(dbg->buf);
 		dbg->buf_len = 0;
 		dbg->buf = NULL;
 	}
+	mutex_unlock(&mdss_debug_lock);
 	return 0;
 }
 
@@ -353,11 +355,13 @@ static int mdss_debug_base_open(struct inode *inode, struct file *file)
 static int mdss_debug_base_release(struct inode *inode, struct file *file)
 {
 	struct mdss_debug_base *dbg = file->private_data;
+	mutex_lock(&mdss_debug_lock);
 	if (dbg && dbg->buf) {
 		kfree(dbg->buf);
 		dbg->buf_len = 0;
 		dbg->buf = NULL;
 	}
+	mutex_unlock(&mdss_debug_lock);
 	return 0;
 }
 
-- 
GitLab