Transaction: protect lwis_transaction_free in process_transaction

Avoid running both process_transaction and release client
at the same time to prevent use after free(UAF).

Bug: 272403230
Test: GCA, CTS
Change-Id: I9233ab5836c2d94bb5f37cda8fa8ab08639fdcec
Signed-off-by: Nick Chung <nickchung@google.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/lwis_transaction.c b/lwis_transaction.c
index 6c73101..cf9509e 100644
--- a/lwis_transaction.c
+++ b/lwis_transaction.c
@@ -168,6 +168,7 @@ static int process_transaction(struct lwis_client *client, struct lwis_transacti
 	const int reg_value_bytewidth = lwis_dev->native_value_bitwidth / 8;
 	int64_t process_duration_ns = 0;
 	int64_t process_timestamp = ktime_to_ns(lwis_get_time());
+	unsigned long flags;
 
 	resp_size = sizeof(struct lwis_transaction_response_header) + resp->results_size_bytes;
 	read_buf = (uint8_t *)resp + sizeof(struct lwis_transaction_response_header);
@@ -301,6 +302,8 @@ static int process_transaction(struct lwis_client *client, struct lwis_transacti
 				resp->error_code, transaction->info.id, i, entry->type);
 		}
 	}
+
+	spin_lock_irqsave(&client->transaction_lock, flags);
 	if (pending_fences) {
 		/* Convert -ECANCELED error code to userspace Cancellation error code */
 		pending_status = resp->error_code == -ECANCELED ? 1 : resp->error_code;
@@ -315,6 +318,7 @@ static int process_transaction(struct lwis_client *client, struct lwis_transacti
 	} else {
 		lwis_transaction_free(lwis_dev, transaction);
 	}
+	spin_unlock_irqrestore(&client->transaction_lock, flags);
 
 	return ret;
 }