msm: camera: Delete list entry after work has finished (84d6a8cc) · Commits · e / devices / android_kernel_fairphone_FP3

While dispatching kernel callbacks, wait until the callback work has finished before deleting the callback information from the sync object callback linked list. Do this because otherwise if the callback dispatch finishes before deleting the list entry, the memory might be already freed and it will lead to a use-after-free scenario. CRs-Fixed: 1108613 Change-Id: Ieaab8dd95a81e018e0511fa162e4d32d37c7e99a Signed-off-by:

Seemanta Dutta <seemanta@codeaurora.org>

drivers/media/platform/msm/camera/cam_sync/cam_sync.c

+0 −1

Original line number	Diff line number	Diff line
		@@ -246,7 +246,6 @@ int cam_sync_signal(int32_t sync_obj, uint32_t status)
		sync_cb->status = list_info->status;
		queue_work(sync_dev->work_queue,
		&sync_cb->cb_dispatch_work);
		list_del_init(&sync_cb->list);
		}

		/* Dispatch user payloads if any were registered earlier */

drivers/media/platform/msm/camera/cam_sync/cam_sync_util.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -223,6 +223,7 @@ void cam_sync_util_cb_dispatch(struct work_struct *cb_dispatch_work)
		cb_info->status,
		cb_info->cb_data);

		list_del_init(&cb_info->list);
		kfree(cb_info);
		}