msm: kgsl: Fix possible use-after-free while adding context to active list

Consider a scenario where a context is valid when the check is made in
adreno_dispatcher_queue_cmds(), but by the time we reach _track_context(),
context has been detached. We would try to delete the entry from the
active context list as part of detaching the context though the entry is
not added yet. Now in _track_context() the context is actually added. When
the context is finally destroyed, we would be left with invalid entry in
the list. Next time when a context is added, an attempt would be made to
use a freed entry. Fix this by moving the entry deletion part under
drawctxt lock.

Change-Id: Idab7cbf10987598b3e6395b2d50c20d1990d1f02
Signed-off-by: Puranam V G Tejaswi <pvgtejas@codeaurora.org>
Signed-off-by: Rohan Sethi <rohsethi@codeaurora.org>

1 files changed, 3 insertions, 2 deletions

diff --git a/drivers/gpu/msm/adreno_drawctxt.c b/drivers/gpu/msm/adreno_drawctxt.c
index 3e765a61bd5e..446df0e98217 100644
--- a/drivers/gpu/msm/adreno_drawctxt.c
+++ b/drivers/gpu/msm/adreno_drawctxt.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2002,2007-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2002,2007-2017,2020, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -473,11 +473,12 @@ void adreno_drawctxt_detach(struct kgsl_context *context)
 	drawctxt = ADRENO_CONTEXT(context);
 	rb = drawctxt->rb;
 
+	spin_lock(&drawctxt->lock);
+
 	spin_lock(&adreno_dev->active_list_lock);
 	list_del_init(&drawctxt->active_node);
 	spin_unlock(&adreno_dev->active_list_lock);
 
-	spin_lock(&drawctxt->lock);
 	count = drawctxt_detach_drawobjs(drawctxt, list);
 	spin_unlock(&drawctxt->lock);