Android 8.1.0 Release 0.23
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCWnjZ4AAKCRDorT+BmrEO
eOCZAJ9FqSFONDQD+77IK7JrAj4zAO2BhACfQhVmA9U/6hcp4pCJqDeKH/qtjTE=
=55Yv
-----END PGP SIGNATURE-----
ANDROID: qtaguid: Fix the UAF probelm with tag_ref_tree

When multiple threads is trying to tag/delete the same socket at the
same time, there is a chance the tag_ref_entry of the target socket to
be null before the uid_tag_data entry is freed. It is caused by the
ctrl_cmd_tag function where it doesn't correctly grab the spinlocks
when tagging a socket.

Signed-off-by: Chenbo Feng <fengc@google.com>
Bug: 65853158
Change-Id: I5d89885918054cf835370a52bff2d693362ac5f0
1 file changed