Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 34f376cc authored by Govindaraj Rajagopal's avatar Govindaraj Rajagopal
Browse files

msm: vidc: Handle race condition for accessing session head 



Currently session_end() accesses &dev->sess_head without device->lock.
So there are high chances of use-after-free in &dev->sess_head.

Change-Id: I34593e6507da9bad13c6d92faf40c4d790825d39
Signed-off-by: default avatarPriyanka Gujjula <pgujjula@codeaurora.org>
Signed-off-by: default avatarGovindaraj Rajagopal <grajagop@codeaurora.org>
parent 50adf52c

msm/vidc/hfi_common.c

+6 −4
Original line number Diff line number Diff line
@@ -1984,18 +1984,20 @@ static int venus_hfi_session_end(void *sess) 
	struct venus_hfi_device *device = &venus_hfi_dev;

	int rc = 0;



	if (!__is_session_valid(device, session, __func__))

		return -EINVAL;



	mutex_lock(&device->lock);

	if (!__is_session_valid(device, session, __func__)) {

		rc = -EINVAL;

		goto exit;

	}



	if (msm_vidc_fw_coverage) {

		if (__sys_set_coverage(device, msm_vidc_fw_coverage,

				session->sid))

			s_vpr_e(session->sid, "Fw_coverage msg ON failed\n");

	}

	rc = __send_session_cmd(session, HFI_CMD_SYS_SESSION_END);

exit:

	mutex_unlock(&device->lock);



	return rc;

}