a614a92c2a
drawobj_destroy_sync() tries to cancel all pending sync events by taking local copy of pending list. In case of sync point timestamp event, it goes ahead and accesses context's events list assuming that event's context would be alive. But at the same time, if the other context, which is of interest for these sync point events, can be destroyed by cancelling all events in its group. This leads to use-after-free in drawobj_destroy_sync() path. Fix is to give the responsibility of putting the context's ref count to the thread which clears the pending mask. Change-Id: I8d08ef6ddb38ca917f75088071c04727bced11d2 Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org> |
||
|---|---|---|
| .. | ||
| drm | ||
| host1x | ||
| ipu-v3 | ||
| msm | ||
| vga | ||
| Makefile | ||