diff options
author | Nick Chung <nickchung@google.com> | 2023-03-17 12:53:20 +0800 |
---|---|---|
committer | TreeHugger Robot <treehugger-gerrit@google.com> | 2023-03-29 08:18:51 +0000 |
commit | f70c8f6e18455fae6b56887670ee7eef0a49baf4 (patch) | |
tree | 3d8f1184946c218201fe44fe20fe78eaa595c38c | |
parent | 4711d94f29bf4536a40b3e1fd8d273cec00557fd (diff) | |
download | lwis-f70c8f6e18455fae6b56887670ee7eef0a49baf4.tar.gz |
Transaction: protect lwis_transaction_free in process_transaction
Avoid running both process_transaction and release client
at the same time to prevent use after free(UAF).
Bug: 272403230
Test: GCA, CTS
Change-Id: I9233ab5836c2d94bb5f37cda8fa8ab08639fdcec
Signed-off-by: Nick Chung <nickchung@google.com>
-rw-r--r-- | lwis_transaction.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lwis_transaction.c b/lwis_transaction.c index 6c73101..cf9509e 100644 --- a/lwis_transaction.c +++ b/lwis_transaction.c @@ -168,6 +168,7 @@ static int process_transaction(struct lwis_client *client, struct lwis_transacti const int reg_value_bytewidth = lwis_dev->native_value_bitwidth / 8; int64_t process_duration_ns = 0; int64_t process_timestamp = ktime_to_ns(lwis_get_time()); + unsigned long flags; resp_size = sizeof(struct lwis_transaction_response_header) + resp->results_size_bytes; read_buf = (uint8_t *)resp + sizeof(struct lwis_transaction_response_header); @@ -301,6 +302,8 @@ static int process_transaction(struct lwis_client *client, struct lwis_transacti resp->error_code, transaction->info.id, i, entry->type); } } + + spin_lock_irqsave(&client->transaction_lock, flags); if (pending_fences) { /* Convert -ECANCELED error code to userspace Cancellation error code */ pending_status = resp->error_code == -ECANCELED ? 1 : resp->error_code; @@ -315,6 +318,7 @@ static int process_transaction(struct lwis_client *client, struct lwis_transacti } else { lwis_transaction_free(lwis_dev, transaction); } + spin_unlock_irqrestore(&client->transaction_lock, flags); return ret; } |