Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bd281fbe authored by Sumukh Hallymysore Ravindra's avatar Sumukh Hallymysore Ravindra
Browse files

msm: synx: verify synx obj validity before accessing members 



The change verifies that the synx object is valid before accessing
any of the members. This prevents clients access to synx objects
after they have been cleaned up.

Change-Id: I96e9e489af872fa1618fb66b942b263b7da1e52b
Signed-off-by: default avatarSumukh Hallymysore Ravindra <shallymy@codeaurora.org>
parent 4a00f6e6

drivers/media/platform/msm/synx/synx.c

+29 −1
Original line number Diff line number Diff line
@@ -252,6 +252,13 @@ int synx_signal_core(struct synx_table_row *row, u32 status) 


	spin_lock_bh(&synx_dev->row_spinlocks[row->index]);



	if (!row->index) {

		spin_unlock_bh(&synx_dev->row_spinlocks[row->index]);

		pr_err("object already cleaned up at %d\n",

			row->index);

		return -EINVAL;

	}



	if (synx_status_locked(row) != SYNX_STATE_ACTIVE) {

		spin_unlock_bh(&synx_dev->row_spinlocks[row->index]);

		pr_err("object already signaled synx at %d\n",
@@ -444,8 +451,13 @@ static int synx_release_core(struct synx_table_row *row) 
	 * be carefull while accessing the metadata

	 */

	fence = row->fence;

	spin_lock_bh(&synx_dev->row_spinlocks[row->index]);

	idx = row->index;

	spin_lock_bh(&synx_dev->row_spinlocks[idx]);

	if (!idx) {

		spin_unlock_bh(&synx_dev->row_spinlocks[idx]);

		pr_err("object already cleaned up at %d\n", idx);

		return -EINVAL;

	}

	/*

	 * we need to clear the metadata for merged synx obj upon synx_release

	 * itself as it does not invoke the synx_fence_release function.
@@ -490,6 +502,15 @@ int synx_wait(s32 synx_obj, u64 timeout_ms) 
		return -EINVAL;

	}



	spin_lock_bh(&synx_dev->row_spinlocks[row->index]);

	if (!row->index) {

		spin_unlock_bh(&synx_dev->row_spinlocks[row->index]);

		pr_err("object already cleaned up at %d\n",

			row->index);

		return -EINVAL;

	}

	spin_unlock_bh(&synx_dev->row_spinlocks[row->index]);



	timeleft = dma_fence_wait_timeout(row->fence, (bool) 0,

					msecs_to_jiffies(timeout_ms));

	if (timeleft <= 0) {
@@ -669,6 +690,13 @@ int synx_import(s32 synx_obj, u32 import_key, s32 *new_synx_obj) 
	}



	spin_lock_bh(&synx_dev->row_spinlocks[row->index]);

	if (!row->index) {

		spin_unlock_bh(&synx_dev->row_spinlocks[row->index]);

		pr_err("object already cleaned up at %d\n",

			row->index);

		kfree(obj_node);

		return -EINVAL;

	}

	obj_node->synx_obj = id;

	list_add(&obj_node->list, &row->synx_obj_list);

	spin_unlock_bh(&synx_dev->row_spinlocks[row->index]);