Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp6243733ybf; Thu, 5 Mar 2020 16:24:46 -0800 (PST) X-Google-Smtp-Source: ADFU+vuNm1gt1+Imhji9fdTyxij0NtzttjauvgDmsyowJ+fmpDWT8UsSWACaOyZusWY9y1+AKx2+ X-Received: by 2002:aca:130c:: with SMTP id e12mr777084oii.122.1583454286523; Thu, 05 Mar 2020 16:24:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583454286; cv=none; d=google.com; s=arc-20160816; b=kkxYPdsGpgxdrsPkIJeuNbtjwJvPYwMAdPyrhC7xB9f8mvWxRIBz2/O+XQeZeE00SM whiAdkM1ysb5WhQhkTIq5fk5phYivhLXb4p5Q4HYKZJ0F6LP4Dl7dRcca9tiayXcFjtk 2susrAqTNzaYs36tLsTbyVDmYB6higjEHE6CzOurvPnD0ep+O5ZdXn1irQ8NYjwa/wVq /dC3ON5GsPiWRrloSzxHr1S0Pfd7LQKqTs3Mq3oWNtDZHjMRCF13pYLhdsYxaPLqx2w2 igNOmmaniW0lKX6ev7RP5e9W0HpegwWGaD9tK3H+PCl/u2WYkS0RRmC+g5Dv3i4u1Ii5 F95w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=Ap4Y6lrA7wwms6HJbe1KlUHr7uZJFXAnwOc+aJCMcGw=; b=UFH/SjRF5La0EZjFzl/MtSnmT5egXvMgRdozZ54WeuSVwFbfafZaacRvxEtG089Qc0 ULW7Gh+qescK0nbB5QXgRQqnj4mMj3DdK9avAELjzWbd1blxTYZcaxUHCu48CHbJhzMN CFr0PgH3WWQk81RyegZ2R7iAS3Tg6hN2r96j3+1iux1bCD20e1jgkR7x5SHsLGqU8RMT O1Kl5Su1jFsDRyso5+MrhlKPNcRyMOwE5tEMyGUdpyFE+pw48PcTUD45dygYLaUyXlg3 a/GfAAV8YKRucfzAEC03bvS3vLm17oes36OoLSfG0zA5fXvNPtwLeytcdTu85/66hPvs 1GBg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=oDzVpckC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h136si348853oib.141.2020.03.05.16.24.34; Thu, 05 Mar 2020 16:24:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=oDzVpckC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726740AbgCFAX0 (ORCPT + 99 others); Thu, 5 Mar 2020 19:23:26 -0500 Received: from mail-pl1-f201.google.com ([209.85.214.201]:55139 "EHLO mail-pl1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726359AbgCFAXZ (ORCPT ); Thu, 5 Mar 2020 19:23:25 -0500 Received: by mail-pl1-f201.google.com with SMTP id s13so374005plr.21 for ; Thu, 05 Mar 2020 16:23:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=Ap4Y6lrA7wwms6HJbe1KlUHr7uZJFXAnwOc+aJCMcGw=; b=oDzVpckCB+y7yfmoAECXB8tohkyWsCOdsNKZkx+trBGowcgYtRkOOjHiLdun/wpXJl iXYjcJx2uz4NN0KC55Yigj1YnlhezsbcDM5WJ7Zg9An32BJE3UlhjPfJmv3Lmr4arJj0 TEBF8Q4YrCn+/m74KDKnbENN92WnEww+9pHyo23Jf0y5JavPTTJNLkQPXQexaJbMEVR+ SDn2AWNGzmNIKgrlaWxD4qh3RZCnW2dt5ZruCVsfQi17LeGCl+j72JXtJwD6RpOfEy/q qvqhvfuM4i8xopNYcQEvPxujz6S0+65M8vXwQ81CClwRcFfeJSTbEkr8N8OSgjEWRBkc zdhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=Ap4Y6lrA7wwms6HJbe1KlUHr7uZJFXAnwOc+aJCMcGw=; b=iXuf+YHUInozCuYuCj1BhuExNegIY3g7jufUFZlx97J6mWYqcQQBsIYNkazSKReNsm Ubd82+1dSfYquzt2XMqeVxRp6A6m7lcr4q0ZI5wCg3VNya1yzb+fQwvHOU5ArQHMxjeJ tpuieHnKMdUmtpsZAnSe1q0cPtVDPXKGyj5YWY6fvVi5q76oWPAjr2KvxZfxEH4ajiQn F7F/0cp3nzMb8f0UpZER4EGLDQJ3UImQ3+1WJw4fXbOo0wGWlMACRs2SNNCjSYO1KQd7 9ERmi4GRC6aQcNbw9bWev5Hwo4AtpuwZbtv3TXz5UcTHV6WkxRT5dF5eObunQKhWaYnC jlNg== X-Gm-Message-State: ANhLgQ0blKUkrgv6GAFIgbOIr95Ow/37Xz5WrNahS8IbLFfQxmZFv47N LOYsRmft+aOZqn9DPGKMKTIIOX9qidkmQZs= X-Received: by 2002:a63:fe0a:: with SMTP id p10mr697622pgh.96.1583454204720; Thu, 05 Mar 2020 16:23:24 -0800 (PST) Date: Thu, 5 Mar 2020 16:23:21 -0800 Message-Id: <20200306002321.3344-1-jkardatzke@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.25.1.481.gfbce0eb801-goog Subject: [PATCH] media: venus: fix use after free for registeredbufs From: Jeffrey Kardatzke To: linux-media@vger.kernel.org Cc: Stanimir Varbanov , Andy Gross , Mauro Carvalho Chehab , linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, Jeffrey Kardatzke Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In dynamic bufmode we do not manage the buffers in the registeredbufs list, so do not add them there when they are initialized. Adding them there was causing a use after free of the list_head struct in the buffer when new buffers were allocated after existing buffers were freed. Signed-off-by: Jeffrey Kardatzke --- drivers/media/platform/qcom/venus/helpers.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/qcom/venus/helpers.c b/drivers/media/platform/qcom/venus/helpers.c index bcc603804041..688a3593b49b 100644 --- a/drivers/media/platform/qcom/venus/helpers.c +++ b/drivers/media/platform/qcom/venus/helpers.c @@ -1054,8 +1054,10 @@ int venus_helper_vb2_buf_init(struct vb2_buffer *vb) buf->size = vb2_plane_size(vb, 0); buf->dma_addr = sg_dma_address(sgt->sgl); - if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) + if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE && + !is_dynamic_bufmode(inst)) { list_add_tail(&buf->reg_list, &inst->registeredbufs); + } return 0; } -- 2.25.1.481.gfbce0eb801-goog