Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp145893pxt; Wed, 4 Aug 2021 07:51:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxHI2fKVOv5VEttbnrX+Gob1ghO0xz+ULJfviogihy1gneygmATnNsqFc6jmYx9D4o3zAS8 X-Received: by 2002:aa7:ccc1:: with SMTP id y1mr67343edt.321.1628088698725; Wed, 04 Aug 2021 07:51:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628088698; cv=none; d=google.com; s=arc-20160816; b=doScSpPMQ3yIBMvaZT6InCmHYfP+zv6PI1s0JFBJOikg7Ij1podePqx4cQCzYYyIs2 vSh9vBDVkzY1E6YAObh9Y5XRoViQVBs/dLZs6TczVI/KEl4PirVKVbb4awWKye1GYNJJ +SbnegmIzWWyWzvuIfl89Rtv3hX3g6prqSzCxn5sJF91I8P6Ir4xTvn3dMXB/DTX1PLk iAMbkyfBfdee6UVRpxrySYgze3tTPZcibz8ko3LtBWDyqfZz6ZL/O+sVpK2jYaH7kant zXyqOp+5zn/zA5caS9KHQ6f8haRmXiF4/SfMsSt2S6JlcmiDF2UmHHLSTT//jDbJrFc0 g8TQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from; bh=cqEbMafd/32X2PuNEd6QqjIGRQ7S+cFVklkH3aQehys=; b=o6grmNzZZxggWxEo7E6NMsIXKo4NZq+WAjcDW2945EwwOP/ovTJBcZp3SBa9v9EK33 SEhWgaAVRORIb2oNP+HiY1bExa+y9Gldw6eHSCN7g8KRej/wvnKOduCfwF+MUrSpwlEd RhiVTE5A1kLoiTdDaY0FCu6j6Q72thls59UNNnKec3Erisiz1UU6oVYu8EGk/3Chzw8M tO0jag6zDflyI51gWenzWf7VsjW+z2GXzGD3I85tG9cqVlJQJp1M+31UZmGRu24Mkyxm tf2QQ5DMfX3rsSZRi/dUPQeVsy0u09Qtjxce1Zw9HrnvirjtisIRAnuz/WKwfUzfeu1A gOrw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y10si2293792eda.225.2021.08.04.07.51.14; Wed, 04 Aug 2021 07:51:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238969AbhHDOcj (ORCPT + 99 others); Wed, 4 Aug 2021 10:32:39 -0400 Received: from bhuna.collabora.co.uk ([46.235.227.227]:39618 "EHLO bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238782AbhHDO24 (ORCPT ); Wed, 4 Aug 2021 10:28:56 -0400 Received: from guri.fritz.box (unknown [IPv6:2a02:810a:880:f54:adf4:1f5e:19c9:b75f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: dafna) by bhuna.collabora.co.uk (Postfix) with ESMTPSA id 9310C1F43A2B; Wed, 4 Aug 2021 15:27:48 +0100 (BST) From: Dafna Hirschfeld To: linux-media@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org Cc: dafna.hirschfeld@collabora.com, hverkuil@xs4all.nl, kernel@collabora.com, dafna3@gmail.com, mchehab@kernel.org, tfiga@chromium.org, tiffany.lin@mediatek.com, andrew-ct.chen@mediatek.com, matthias.bgg@gmail.com, hsinyi@chromium.org, maoguang.meng@mediatek.com, irui.wang@mediatek.com, acourbot@chromium.org, Yunfei.Dong@mediatek.com, yong.wu@mediatek.com, eizan@chromium.org Subject: [PATCH 2/5] media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released Date: Wed, 4 Aug 2021 16:27:26 +0200 Message-Id: <20210804142729.7231-3-dafna.hirschfeld@collabora.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210804142729.7231-1-dafna.hirschfeld@collabora.com> References: <20210804142729.7231-1-dafna.hirschfeld@collabora.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The func v4l2_m2m_ctx_release waits for currently running jobs to finish and then stop streaming both queues and frees the buffers. All this should be done before the call to mtk_vcodec_enc_release which frees the encoder handler. This fixes use-after-free bug. Fixes: 4e855a6efa547 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") Signed-off-by: Dafna Hirschfeld --- drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c index 45d1870c83dd..4ced20ca647b 100644 --- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c +++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c @@ -218,11 +218,11 @@ static int fops_vcodec_release(struct file *file) mtk_v4l2_debug(1, "[%d] encoder", ctx->id); mutex_lock(&dev->dev_mutex); + v4l2_m2m_ctx_release(ctx->m2m_ctx); mtk_vcodec_enc_release(ctx); v4l2_fh_del(&ctx->fh); v4l2_fh_exit(&ctx->fh); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); - v4l2_m2m_ctx_release(ctx->m2m_ctx); list_del_init(&ctx->list); kfree(ctx); -- 2.17.1