Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3512488imu; Sun, 11 Nov 2018 16:50:33 -0800 (PST) X-Google-Smtp-Source: AJdET5dQt+J4KFiVerBBOoDcSxZlJHhDt7MYtl2LMxQcK/nCrNPW25tSmmlm0Nw5++5QzBIP8mn3 X-Received: by 2002:a17:902:887:: with SMTP id 7-v6mr10075362pll.283.1541983833143; Sun, 11 Nov 2018 16:50:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541983833; cv=none; d=google.com; s=arc-20160816; b=eDPWcDu2UrkSQJR9UzCLAZFuPIMMM9HFEyMnAc1VS3LhrZdf3rkoBq2dWywQxlH1VD w3RRQMyGV1BxXp2qKfP6rApwGOUxIUgevBij0Lw6ELW9CXr7Rnb7JvcOpODMjy6rog+l WD4uzYZ/7BdZZHbgPC7k0E0ReVMG3Ho9t4e+h4qZYVrcobGbeiyUf/JSqJUYqTB2TICs DaA7hnIG8G20Wqui/xlsnVJ+bAX0zAeOyZB7PgJkBVdwfVNSJbPlRcPIzc1cWZc5Tchc AvUzaL7cZrouIIXWrcJQ010/5F0k6VSd5EYpfRbXEOvzyIcSwSJI9+/l45CxWSWnlL0D e9TA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date:dkim-signature; bh=xjSh9IEeLwxH8OYYNLpYFM6p8XZN0FQyzo1oAiZRkkA=; b=rd0hcSV8bSwUmF7SyLtwaPzIHpFlq7bWkYH+ItFv9Prh8eEN+QgiqatTlvqojI073G gFZJvSbH4CE+D0VpKOEFW2bw4R6fEEGMLc/wAtkvCoZeIx+LnxLxmP3rMLdys5B8bivc VQF+rU6L0syVDIHtzd2fCwUfFEq0Qd0voN9yKhd6TIbPLY0HIkmUCQhtKr/ZhovHQCZZ 3Dxygd/b3tzhUKcib9FfkOCsZSv3VSyW+m//s+ORDWS/LD5URoYsnyjWivbe8ShaC5ct GrRsB7lqYyP4nsS206uRi3+r2C/Jb8LhMPguDjGBW9rPXshdDaFfZOr/SZgcBnQ7I49v L7fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=q6BvRBfr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m26-v6si16309488pfe.80.2018.11.11.16.50.17; Sun, 11 Nov 2018 16:50:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=q6BvRBfr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729780AbeKLKkd (ORCPT + 99 others); Mon, 12 Nov 2018 05:40:33 -0500 Received: from mail-pl1-f196.google.com ([209.85.214.196]:34215 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729181AbeKLKkd (ORCPT ); Mon, 12 Nov 2018 05:40:33 -0500 Received: by mail-pl1-f196.google.com with SMTP id f12-v6so3460209plo.1; Sun, 11 Nov 2018 16:49:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=xjSh9IEeLwxH8OYYNLpYFM6p8XZN0FQyzo1oAiZRkkA=; b=q6BvRBfr+PQTzT9l3oyCY9r7ch1thXhQpR2rTd0BiJYHifmD7hpJAh1pGhwfF3Eozy w61UB7NyrqNgjr3A14Y9TPRxc1eFDSGe2Mq6m079Qtts3NfWwrYlt8cI5bsUDeFcZDv/ 6jxPMBFO626JpCDvwkHXdOqQuZ+MZKeKvZMMqzTxlP5fQ0gSQIdgNeAJ6EjlPea/OMB6 N9HOUI7wpUS89TAnrGcqxw/6QGUbpyMrX6z/YO6jh2JoIzz9TrzEowzZwK9gSt4JRv9u 5hmcJ9OlEC51ER6goQdxraBM4T7VNxULaTKeQnhVilYqjIbtCQ3CCIW9asBOC+hDQOfT /9ZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=xjSh9IEeLwxH8OYYNLpYFM6p8XZN0FQyzo1oAiZRkkA=; b=d+oyFUzqjXkAIt5GZnOJZ6F/89Baedt2Y6ArOXSKyfhX81j2YnLCyMMfwvupvje2Q/ 32t0vxHJ8rtCzgnFr/Ap+yDsPPt9uQ7JQlpTLLMLeV5iYBar2ieKRjZBmKZqRv4AI+Nl 62tEMmW4REr0hy4qkbJVgTUcz/u4p6IeiYG/J6TUMocsA7fgihZ2Z4MQaP8FWMeV3wI8 eujoVL8R9MVUz9P5Rk0XD0y/L8YzEIhzpX0zSrD+fvJuIGFg9oBIOFCEHl5naxrqcvZj 4byo8uf5LpnPdMUlQ2yDvM0uoKzgaiForGLTG05jV81jaDHdSAKPgm+5TtFWCb7YmtwD t4nw== X-Gm-Message-State: AGRZ1gICsrsrOCJlqqdT2PC/0vvFMZf52DzELGkRqznd1x2A11TmxtrK AJahrVP9CbGK6hHGa//D3WM= X-Received: by 2002:a17:902:a614:: with SMTP id u20-v6mr17960921plq.77.1541983796211; Sun, 11 Nov 2018 16:49:56 -0800 (PST) Received: from myunghoj-Precision-5530 (cpe-76-88-98-70.san.res.rr.com. [76.88.98.70]) by smtp.gmail.com with ESMTPSA id p6-v6sm18242940pfg.30.2018.11.11.16.49.55 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 11 Nov 2018 16:49:56 -0800 (PST) Date: Sun, 11 Nov 2018 16:49:53 -0800 From: Myungho Jung To: pawel@osciak.com, m.szyprowski@samsung.com, kyungmin.park@samsung.com, mchehab@kernel.org Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] media: videobuf2-core: Fix error handling when fileio is deallocated Message-ID: <20181112004951.GA3948@myunghoj-Precision-5530> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The mutex that is held from vb2_fop_read() can be unlocked while waiting for a buffer if the queue is streaming and blocking. Meanwhile, fileio can be released. So, it should return an error if the fileio address is changed. Signed-off-by: Myungho Jung Reported-by: syzbot+4180ff9ca6810b06c1e9@syzkaller.appspotmail.com --- drivers/media/common/videobuf2/videobuf2-core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c index 975ff5669f72..bff94752eb27 100644 --- a/drivers/media/common/videobuf2/videobuf2-core.c +++ b/drivers/media/common/videobuf2/videobuf2-core.c @@ -2564,6 +2564,10 @@ static size_t __vb2_perform_fileio(struct vb2_queue *q, char __user *data, size_ dprintk(5, "vb2_dqbuf result: %d\n", ret); if (ret) return ret; + if (fileio != q->fileio) { + dprintk(3, "fileio deallocated\n"); + return -EFAULT; + } fileio->dq_count += 1; fileio->cur_index = index; -- 2.17.1