From patchwork Wed Aug 4 14:27:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dafna Hirschfeld X-Patchwork-Id: 12419059 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A125DC4320A for ; Wed, 4 Aug 2021 14:28:07 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7347760F25 for ; Wed, 4 Aug 2021 14:28:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 7347760F25 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=collabora.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:List-Subscribe:List-Help: List-Post:List-Archive:List-Unsubscribe:List-Id:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=pWudXmsQRdQZcehgpR2mHBHPAbb1RwcQHmlZFD/e//A=; b=ErsRtu5H3/TxEU 1Wjc8mN5X2S2lwbafgdt5rr/j5vfY5A7OCZCtsobxukt9nUkNpvTpGiM4dGxgOayQi8tRW4x3jGvq zn+EuyC8rDBuCiCyl9PUbU7EiP7cQ/BScyoUGVlfikPOTms3f/eDhVAiF4cBSn08PoY6UOY4TcxyS OlKRAqzAhQ2zDMqTY7B8u7aOkfdXfV5q5ZMxhggy8v3hMK62k42CTsBwntivtVbAa5usvSZU/cCfO rhlk7LhMePwdoXqYOnhFSFxv6UGWEa+TxWadPHAGnZ/jlHEf8Hn5TavlHKEUFCAX4eh2vQdQ+hbFQ 20JejLPkFPHnJXfPPBvA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mBHsB-006Qgh-0v; Wed, 04 Aug 2021 14:27:55 +0000 Received: from bhuna.collabora.co.uk ([46.235.227.227]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mBHs6-006Qd7-Ji for linux-mediatek@lists.infradead.org; Wed, 04 Aug 2021 14:27:52 +0000 Received: from guri.fritz.box (unknown [IPv6:2a02:810a:880:f54:adf4:1f5e:19c9:b75f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: dafna) by bhuna.collabora.co.uk (Postfix) with ESMTPSA id 9310C1F43A2B; Wed, 4 Aug 2021 15:27:48 +0100 (BST) From: Dafna Hirschfeld To: linux-media@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-kernel@vger.kernel.org Cc: dafna.hirschfeld@collabora.com, hverkuil@xs4all.nl, kernel@collabora.com, dafna3@gmail.com, mchehab@kernel.org, tfiga@chromium.org, tiffany.lin@mediatek.com, andrew-ct.chen@mediatek.com, matthias.bgg@gmail.com, hsinyi@chromium.org, maoguang.meng@mediatek.com, irui.wang@mediatek.com, acourbot@chromium.org, Yunfei.Dong@mediatek.com, yong.wu@mediatek.com, eizan@chromium.org Subject: [PATCH 2/5] media: mtk-vcodec: call v4l2_m2m_ctx_release first when file is released Date: Wed, 4 Aug 2021 16:27:26 +0200 Message-Id: <20210804142729.7231-3-dafna.hirschfeld@collabora.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210804142729.7231-1-dafna.hirschfeld@collabora.com> References: <20210804142729.7231-1-dafna.hirschfeld@collabora.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210804_072750_828200_FBB626BF X-CRM114-Status: GOOD ( 11.34 ) X-BeenThere: linux-mediatek@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "Linux-mediatek" Errors-To: linux-mediatek-bounces+linux-mediatek=archiver.kernel.org@lists.infradead.org The func v4l2_m2m_ctx_release waits for currently running jobs to finish and then stop streaming both queues and frees the buffers. All this should be done before the call to mtk_vcodec_enc_release which frees the encoder handler. This fixes use-after-free bug. Fixes: 4e855a6efa547 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") Signed-off-by: Dafna Hirschfeld --- drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c index 45d1870c83dd..4ced20ca647b 100644 --- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c +++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c @@ -218,11 +218,11 @@ static int fops_vcodec_release(struct file *file) mtk_v4l2_debug(1, "[%d] encoder", ctx->id); mutex_lock(&dev->dev_mutex); + v4l2_m2m_ctx_release(ctx->m2m_ctx); mtk_vcodec_enc_release(ctx); v4l2_fh_del(&ctx->fh); v4l2_fh_exit(&ctx->fh); v4l2_ctrl_handler_free(&ctx->ctrl_hdl); - v4l2_m2m_ctx_release(ctx->m2m_ctx); list_del_init(&ctx->list); kfree(ctx);