diff options
| author | Nick Chung <nickchung@google.com> | 2023-03-28 06:11:38 +0000 |
|---|---|---|
| committer | Nick Chung <nickchung@google.com> | 2023-03-28 06:11:38 +0000 |
| commit | 676c16df8585f0b8178dc5c22fee18033ea03ec8 (patch) | |
| tree | 67510ff7fe011860773f4baa11fd04ebcbcc316b | |
| parent | 2bda1c9518373563be560d9e933ce4ce9f3270d6 (diff) | |
| download | lwis-676c16df8585f0b8178dc5c22fee18033ea03ec8.tar.gz | |
Top: Fix lwis_top_event_subscribe() UAFandroid-t-qpr3-beta-3_r0.5android-t-qpr3-beta-3_r0.4android-t-qpr3-beta-3_r0.3android-t-qpr3-beta-3.1_r0.5android-t-qpr3-beta-3.1_r0.4android-t-qpr3-beta-3.1_r0.3android-13.0.0_r0.92android-13.0.0_r0.85android-13.0.0_r0.84android-13.0.0_r0.83android-13.0.0_r0.82android-13.0.0_r0.127android-13.0.0_r0.126android-13.0.0_r0.125android-13.0.0_r0.124android-13.0.0_r0.123android-13.0.0_r0.121android-13.0.0_r0.117android-13.0.0_r0.116android-13.0.0_r0.115android-13.0.0_r0.114android-13.0.0_r0.113android-13.0.0_r0.112android-13.0.0_r0.107android-13.0.0_r0.106android-13.0.0_r0.105android-13.0.0_r0.104android-13.0.0_r0.103android-13.0.0_r0.100android-gs-tangorpro-5.10-android13-qpr3android-gs-raviole-5.10-t-qpr3-beta-3android-gs-raviole-5.10-android13-qpr3android-gs-pantah-5.10-t-qpr3-beta-3android-gs-pantah-5.10-android13-qpr3android-gs-lynx-5.10-android13-qpr3android-gs-felix-5.10-android13-qpr3-candroid-gs-felix-5.10-android13-qpr3android-gs-bluejay-5.10-t-qpr3-beta-3android-gs-bluejay-5.10-android13-qpr3
The event_subscriber_list is used to subscribe and unsubscribe
from events. The list may be removed before it is unsubscribed from,
so it must be protected by a Spinlock to prevent data corruption.
Bug: 239867994
Test: Fuzzing test. GCA
Change-Id: Ibc8c2b218e16e5300bc68a3e4281fc0ba53adf62
Signed-off-by: Nick Chung <nickchung@google.com>
| -rw-r--r-- | lwis_device_top.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lwis_device_top.c b/lwis_device_top.c index c5de1ed..6c72371 100644 --- a/lwis_device_top.c +++ b/lwis_device_top.c @@ -215,13 +215,14 @@ static int lwis_top_event_subscribe(struct lwis_device *lwis_dev, int64_t trigge return -EINVAL; } + spin_lock_irqsave(&lwis_top_dev->base_dev.lock, flags); event_subscriber_list = event_subscriber_list_find_or_create(lwis_dev, trigger_event_id); if (!event_subscriber_list) { + spin_unlock_irqrestore(&lwis_top_dev->base_dev.lock, flags); dev_err(lwis_dev->dev, "Can't find/create event subscriber list\n"); return -EINVAL; } - spin_lock_irqsave(&lwis_top_dev->base_dev.lock, flags); list_for_each (it_event_subscriber, &event_subscriber_list->list) { old_subscription = list_entry(it_event_subscriber, struct lwis_event_subscribe_info, list_node); |