From bb5fd16c67287e53db5165a974ea15ec3be09fe9 Mon Sep 17 00:00:00 2001 From: Deepak Nibade Date: Mon, 10 Oct 2016 16:33:32 +0530 Subject: gpu: nvgpu: fix use-after-free in case of error notifier A use-after-free scenario is possible where one thread in gk20a_free_error_notifiers() is trying to free the error notifier and another thread in gk20a_set_error_notifier() is still using the error notifier Fix this by introducing mutex error_notifier_mutex for error notifier accesses Take mutex in gk20a_free_error_notifiers() and in gk20a_set_error_notifier() before accessing notifier In gk20a_init_error_notifier(), set the pointer ch->error_notifier_ref inside the mutex and only after notifier is completely initialized Bug 1824788 Change-Id: I47e1ab57d54f391799f5a0999840b663fd34585f Signed-off-by: Deepak Nibade Reviewed-on: http://git-master/r/1233988 Reviewed-by: mobile promotions Tested-by: mobile promotions --- drivers/gpu/nvgpu/gk20a/channel_gk20a.h | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/gpu/nvgpu/gk20a/channel_gk20a.h') diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.h b/drivers/gpu/nvgpu/gk20a/channel_gk20a.h index a44321bc..f6571b6f 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.h +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.h @@ -177,6 +177,7 @@ struct channel_gk20a { struct dma_buf *error_notifier_ref; struct nvgpu_notification *error_notifier; void *error_notifier_va; + struct mutex error_notifier_mutex; struct mutex sync_lock; struct gk20a_channel_sync *sync; -- cgit v1.2.2