diff options
author | Deepak Nibade <dnibade@nvidia.com> | 2016-10-10 07:03:32 -0400 |
---|---|---|
committer | mobile promotions <svcmobile_promotions@nvidia.com> | 2016-10-10 13:13:56 -0400 |
commit | bb5fd16c67287e53db5165a974ea15ec3be09fe9 (patch) | |
tree | 062f363cbfaa58c64ee377c6d608037cda15acf6 /drivers/gpu/nvgpu/gk20a/channel_gk20a.h | |
parent | 3bbd6419767896719833bc5024200ea67b8fb914 (diff) |
gpu: nvgpu: fix use-after-free in case of error notifier
A use-after-free scenario is possible where one thread in
gk20a_free_error_notifiers() is trying to free the error
notifier and another thread in gk20a_set_error_notifier()
is still using the error notifier
Fix this by introducing mutex error_notifier_mutex for
error notifier accesses
Take mutex in gk20a_free_error_notifiers() and in
gk20a_set_error_notifier() before accessing notifier
In gk20a_init_error_notifier(), set the pointer
ch->error_notifier_ref inside the mutex and only
after notifier is completely initialized
Bug 1824788
Change-Id: I47e1ab57d54f391799f5a0999840b663fd34585f
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1233988
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
Diffstat (limited to 'drivers/gpu/nvgpu/gk20a/channel_gk20a.h')
-rw-r--r-- | drivers/gpu/nvgpu/gk20a/channel_gk20a.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.h b/drivers/gpu/nvgpu/gk20a/channel_gk20a.h index a44321bc..f6571b6f 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.h +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.h | |||
@@ -177,6 +177,7 @@ struct channel_gk20a { | |||
177 | struct dma_buf *error_notifier_ref; | 177 | struct dma_buf *error_notifier_ref; |
178 | struct nvgpu_notification *error_notifier; | 178 | struct nvgpu_notification *error_notifier; |
179 | void *error_notifier_va; | 179 | void *error_notifier_va; |
180 | struct mutex error_notifier_mutex; | ||
180 | 181 | ||
181 | struct mutex sync_lock; | 182 | struct mutex sync_lock; |
182 | struct gk20a_channel_sync *sync; | 183 | struct gk20a_channel_sync *sync; |