gpu: drm: msm: add event to event_list after register is successful
Add event to event_list after msm_register_event is successful to avoid
use-after-free vulnerability.
Change-Id: I34fb39c99051978cbab64a852851964691a5ea9e
Signed-off-by: Ping Li <pingli@codeaurora.org>
Signed-off-by: Venkata Prahlad Valluru <vvalluru@codeaurora.org>
diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
index 1c058db..ff8c1cd 100755
--- a/drivers/gpu/drm/msm/msm_drv.c
+++ b/drivers/gpu/drm/msm/msm_drv.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2016-2018, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2016-2018, 2020 The Linux Foundation. All rights reserved.
* Copyright (C) 2013 Red Hat
* Author: Rob Clark <robdclark@gmail.com>
*
@@ -1295,24 +1295,27 @@
* calls add to client list and return.
*/
count = msm_event_client_count(dev, req_event, false);
- /* Add current client to list */
- spin_lock_irqsave(&dev->event_lock, flag);
- list_add_tail(&client->base.link, &priv->client_event_list);
- spin_unlock_irqrestore(&dev->event_lock, flag);
-
- if (count)
+ if (count) {
+ /* Add current client to list */
+ spin_lock_irqsave(&dev->event_lock, flag);
+ list_add_tail(&client->base.link, &priv->client_event_list);
+ spin_unlock_irqrestore(&dev->event_lock, flag);
return 0;
+ }
ret = msm_register_event(dev, req_event, file, true);
if (ret) {
DRM_ERROR("failed to enable event %x object %x object id %d\n",
req_event->event, req_event->object_type,
req_event->object_id);
- spin_lock_irqsave(&dev->event_lock, flag);
- list_del(&client->base.link);
- spin_unlock_irqrestore(&dev->event_lock, flag);
kfree(client);
+ } else {
+ /* Add current client to list */
+ spin_lock_irqsave(&dev->event_lock, flag);
+ list_add_tail(&client->base.link, &priv->client_event_list);
+ spin_unlock_irqrestore(&dev->event_lock, flag);
}
+
return ret;
}