msm: mdss: fix race condition during mdp debugfs release

Fix race condition in the release of the mdp debugfs functions
panel_debug_base_release and mdss_debug_base_release by adding
the lock for unpreempted freeing of the buffer so that multiple
concurrent processes cannot affect the release which can possibly
lead to use-after-free operation on the buffer.

Change-Id: I9586081b65ae2eb0e7f6e30c606ee748ae9ef7e8
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>

1 files changed, 4 insertions, 0 deletions

diff --git a/drivers/video/fbdev/msm/mdss_debug.c b/drivers/video/fbdev/msm/mdss_debug.c
index e60869144339..0ecf1ef92ab3 100644
--- a/drivers/video/fbdev/msm/mdss_debug.c
+++ b/drivers/video/fbdev/msm/mdss_debug.c
@@ -59,11 +59,13 @@ static int panel_debug_base_open(struct inode *inode, struct file *file)
 static int panel_debug_base_release(struct inode *inode, struct file *file)
 {
 	struct mdss_debug_base *dbg = file->private_data;
+	mutex_lock(&mdss_debug_lock);
 	if (dbg && dbg->buf) {
 		kfree(dbg->buf);
 		dbg->buf_len = 0;
 		dbg->buf = NULL;
 	}
+	mutex_unlock(&mdss_debug_lock);
 	return 0;
 }
 
@@ -385,11 +387,13 @@ static int mdss_debug_base_open(struct inode *inode, struct file *file)
 static int mdss_debug_base_release(struct inode *inode, struct file *file)
 {
 	struct mdss_debug_base *dbg = file->private_data;
+	mutex_lock(&mdss_debug_lock);
 	if (dbg && dbg->buf) {
 		kfree(dbg->buf);
 		dbg->buf_len = 0;
 		dbg->buf = NULL;
 	}
+	mutex_unlock(&mdss_debug_lock);
 	return 0;
 }