Information

Two threads can pass the kgsl_syncsource_get call before starting the refcount reduction technique. This drops the refcount of a syncsource object below 0, thus exposing itself to a use-after-free attack.



References:
https://source.android.com/security/bulletin/2016-07-01
https://blog.checkpoint.com/2016/08/07/quadrooter/