| From 8e43c9c75faf2902955bd2ecd7a50a8cc41cb00a Mon Sep 17 00:00:00 2001 |
| From: Alistair Strachan <alistair.strachan@imgtec.com> |
| Date: Tue, 24 Mar 2015 14:51:31 -0700 |
| Subject: staging: android: sync: Fix memory corruption in sync_timeline_signal(). |
| |
| From: Alistair Strachan <alistair.strachan@imgtec.com> |
| |
| commit 8e43c9c75faf2902955bd2ecd7a50a8cc41cb00a upstream. |
| |
| The android_fence_release() function checks for active sync points |
| by calling list_empty() on the list head embedded on the sync |
| point. However, it is only valid to use list_empty() on nodes that |
| have been initialized with INIT_LIST_HEAD() or list_del_init(). |
| |
| Because the list entry has likely been removed from the active list |
| by sync_timeline_signal(), there is a good chance that this |
| WARN_ON_ONCE() will be hit due to dangling pointers pointing at |
| freed memory (even though the sync drivers did nothing wrong) |
| and memory corruption will ensue as the list entry is removed for |
| a second time, corrupting the active list. |
| |
| This problem can be reproduced quite easily with CONFIG_DEBUG_LIST=y |
| and fences with more than one sync point. |
| |
| Signed-off-by: Alistair Strachan <alistair.strachan@imgtec.com> |
| Cc: Maarten Lankhorst <maarten.lankhorst@canonical.com> |
| Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Cc: Colin Cross <ccross@google.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/staging/android/sync.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/staging/android/sync.c |
| +++ b/drivers/staging/android/sync.c |
| @@ -114,7 +114,7 @@ void sync_timeline_signal(struct sync_ti |
| list_for_each_entry_safe(pt, next, &obj->active_list_head, |
| active_list) { |
| if (fence_is_signaled_locked(&pt->base)) |
| - list_del(&pt->active_list); |
| + list_del_init(&pt->active_list); |
| } |
| |
| spin_unlock_irqrestore(&obj->child_list_lock, flags); |
