[PATCH] media: venus: fix use after free for registeredbufs

From: Jeffrey Kardatzke
Date: Thu Mar 05 2020 - 19:23:27 EST

Next message: Heiko Stuebner: "Re: [PATCH v4 2/2] arm64: dts: rockchip: Add initial support for Pinebook Pro"
Previous message: Lucas De Marchi: "Re: [PATCH] modpost: move the namespace field in Module.symvers last"
Next in thread: Stanimir Varbanov: "Re: [PATCH] media: venus: fix use after free for registeredbufs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In dynamic bufmode we do not manage the buffers in the registeredbufs
list, so do not add them there when they are initialized. Adding them
there was causing a use after free of the list_head struct in the buffer
when new buffers were allocated after existing buffers were freed.

Signed-off-by: Jeffrey Kardatzke <jkardatzke@xxxxxxxxxx>
---
drivers/media/platform/qcom/venus/helpers.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/media/platform/qcom/venus/helpers.c b/drivers/media/platform/qcom/venus/helpers.c
index bcc603804041..688a3593b49b 100644
--- a/drivers/media/platform/qcom/venus/helpers.c
+++ b/drivers/media/platform/qcom/venus/helpers.c
@@ -1054,8 +1054,10 @@ int venus_helper_vb2_buf_init(struct vb2_buffer *vb)
buf->size = vb2_plane_size(vb, 0);
buf->dma_addr = sg_dma_address(sgt->sgl);

- if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
+ if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE &&
+ !is_dynamic_bufmode(inst)) {
list_add_tail(&buf->reg_list, &inst->registeredbufs);
+ }

return 0;
}
--
2.25.1.481.gfbce0eb801-goog

Next message: Heiko Stuebner: "Re: [PATCH v4 2/2] arm64: dts: rockchip: Add initial support for Pinebook Pro"
Previous message: Lucas De Marchi: "Re: [PATCH] modpost: move the namespace field in Module.symvers last"
Next in thread: Stanimir Varbanov: "Re: [PATCH] media: venus: fix use after free for registeredbufs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]