diff options
author | Varad Gautam <varadgautam@google.com> | 2023-11-24 10:27:30 +0000 |
---|---|---|
committer | Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> | 2023-11-28 17:27:58 +0000 |
commit | cab5dbbee97ee9e3baa41d00372363a2f53196e0 (patch) | |
tree | 93aace9c180f4c56d05161aee3ecbc34d2dceaf8 /mali_kbase | |
parent | 678306eae773bf1b9721392c8c42f81d95681bb7 (diff) | |
download | gpu-cab5dbbee97ee9e3baa41d00372363a2f53196e0.tar.gz |
csf: Fix kbase_kcpu_command_queue UaF due to bad queue creation
kbase_csf_kcpu_queue_new() places a queue ptr into
kctx->csf.kcpu_queues.array and proceeds to alloc/populate metadata.
If metadata setup fails, kbase kfree()-s the queue and bails out,
leaving behind a stale queue ptr in the array.
Using such a queue object crashes the kernel (eg. in delete_queue()).
Change-Id: I9c4117ac3e938567aedfa7a7d343254c2e2fa48d
Signed-off-by: Varad Gautam <varadgautam@google.com>
Bug: 303353064
Diffstat (limited to 'mali_kbase')
-rw-r--r-- | mali_kbase/csf/mali_kbase_csf_kcpu.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/mali_kbase/csf/mali_kbase_csf_kcpu.c b/mali_kbase/csf/mali_kbase_csf_kcpu.c index 049b8eb..52bd307 100644 --- a/mali_kbase/csf/mali_kbase_csf_kcpu.c +++ b/mali_kbase/csf/mali_kbase_csf_kcpu.c @@ -2833,8 +2833,6 @@ int kbase_csf_kcpu_queue_new(struct kbase_context *kctx, goto out; } - bitmap_set(kctx->csf.kcpu_queues.in_use, idx, 1); - kctx->csf.kcpu_queues.array[idx] = queue; mutex_init(&queue->lock); queue->kctx = kctx; queue->start_offset = 0; @@ -2894,6 +2892,8 @@ int kbase_csf_kcpu_queue_new(struct kbase_context *kctx, atomic_set(&queue->fence_signal_pending_cnt, 0); kbase_timer_setup(&queue->fence_signal_timeout, fence_signal_timeout_cb); #endif + bitmap_set(kctx->csf.kcpu_queues.in_use, idx, 1); + kctx->csf.kcpu_queues.array[idx] = queue; out: mutex_unlock(&kctx->csf.kcpu_queues.lock); |