![]() ![]() So if the events happens in the following order, then a use-after-free could be triggered at point b.:\n\n!()\n\nIn the above, the red blocks indicate code that are holding the same lock, meaning that the execution of these blocks are mutually exclusive. ![]() In the snippet included in `timeline_fence_release`), then the `dma_fence` would be moved to `temp`, and although its reference is increased, it is already too late, because `timeline_fence_release` will free the `dma_fence` when it reaches point 2., regardless of the refcount. However, if the refcount of a fence is already zero when `a` in the above is reached, but `timeline_fence_release` has not yet been able to remove it from `timeline->fences`, (it has not reached point 1. Again, the manipulation of `timeline->fences` is protected by `timeline->fence_lock` here. As `timeline->fences` does not hold an extra reference of the fence, refcount is increased to stop them from being free\u2019d in `temp`. ![]() \n \n\nIn `kgsl_ioctl_timeline_destroy`, when destroying the timeline, the fences in `timeline->fences` are first copied to another list, `temp` and then removed from `timeline->fences` (point a.). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |