Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 488acf49 authored by Meera Gande's avatar Meera Gande
Browse files

mm-camera2:isp2: Avoid use after free buffer 



In the code, there are certain calls that can
try to access the bffer pointer variable after
free, as the same pointer can be freed at
RELEASE_BUF call at the same time.

Change-Id: I4f7a48613b614138916ae33e7783b0c172330321
Signed-off-by: default avatarMeera Gande <mgande@codeaurora.org>
parent 11a18c0d

drivers/media/platform/msm/camera_v2/isp/msm_isp40.c

+5 −1
Original line number Diff line number Diff line
@@ -1048,15 +1048,18 @@ static int msm_vfe40_start_fetch_engine(struct vfe_device *vfe_dev, 
				fe_cfg->stream_id);

		vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;



		mutex_lock(&vfe_dev->buf_mgr->lock);

		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(

			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);

		if (rc < 0 || !buf) {

			pr_err("%s: No fetch buffer rc= %d buf= %pK\n",

				__func__, rc, buf);

			mutex_unlock(&vfe_dev->buf_mgr->lock);

			return -EINVAL;

		}

		mapped_info = buf->mapped_info[0];

		buf->state = MSM_ISP_BUFFER_STATE_DISPATCHED;

		mutex_unlock(&vfe_dev->buf_mgr->lock);

	} else {

		rc = vfe_dev->buf_mgr->ops->map_buf(vfe_dev->buf_mgr,

			&mapped_info, fe_cfg->fd);
@@ -1109,14 +1112,15 @@ static int msm_vfe40_start_fetch_engine_multi_pass(struct vfe_device *vfe_dev, 
		mutex_lock(&vfe_dev->buf_mgr->lock);

		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(

			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);

		mutex_unlock(&vfe_dev->buf_mgr->lock);

		if (rc < 0 || !buf) {

			pr_err("%s: No fetch buffer rc= %d buf= %pK\n",

				__func__, rc, buf);

			mutex_unlock(&vfe_dev->buf_mgr->lock);

			return -EINVAL;

		}

		mapped_info = buf->mapped_info[0];

		buf->state = MSM_ISP_BUFFER_STATE_DISPATCHED;

		mutex_unlock(&vfe_dev->buf_mgr->lock);

	} else {

		rc = vfe_dev->buf_mgr->ops->map_buf(vfe_dev->buf_mgr,

			&mapped_info, fe_cfg->fd);

drivers/media/platform/msm/camera_v2/isp/msm_isp44.c

+2 −1
Original line number Diff line number Diff line
@@ -895,13 +895,14 @@ static int msm_vfe44_fetch_engine_start(struct vfe_device *vfe_dev, 
		mutex_lock(&vfe_dev->buf_mgr->lock);

		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(

			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);

		mutex_unlock(&vfe_dev->buf_mgr->lock);

		if (rc < 0) {

			pr_err("%s: No fetch buffer\n", __func__);

			mutex_unlock(&vfe_dev->buf_mgr->lock);

			return -EINVAL;

		}

		mapped_info = buf->mapped_info[0];

		buf->state = MSM_ISP_BUFFER_STATE_DISPATCHED;

		mutex_unlock(&vfe_dev->buf_mgr->lock);

	} else {

		rc = vfe_dev->buf_mgr->ops->map_buf(vfe_dev->buf_mgr,

			&mapped_info, fe_cfg->fd);

drivers/media/platform/msm/camera_v2/isp/msm_isp46.c

+2 −1
Original line number Diff line number Diff line
@@ -833,14 +833,15 @@ static int msm_vfe46_start_fetch_engine(struct vfe_device *vfe_dev, 
		mutex_lock(&vfe_dev->buf_mgr->lock);

		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(

			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);

		mutex_unlock(&vfe_dev->buf_mgr->lock);

		if (rc < 0 || !buf) {

			pr_err("%s: No fetch buffer rc= %d buf= %pK\n",

				__func__, rc, buf);

			mutex_unlock(&vfe_dev->buf_mgr->lock);

			return -EINVAL;

		}

		mapped_info = buf->mapped_info[0];

		buf->state = MSM_ISP_BUFFER_STATE_DISPATCHED;

		mutex_unlock(&vfe_dev->buf_mgr->lock);

	} else {

		rc = vfe_dev->buf_mgr->ops->map_buf(vfe_dev->buf_mgr,

			&mapped_info, fe_cfg->fd);

drivers/media/platform/msm/camera_v2/isp/msm_isp47.c

+5 −1
Original line number Diff line number Diff line
@@ -1102,15 +1102,18 @@ int msm_vfe47_start_fetch_engine(struct vfe_device *vfe_dev, 
			fe_cfg->stream_id);

		vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;



		mutex_lock(&vfe_dev->buf_mgr->lock);

		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(

			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);

		if (rc < 0 || !buf) {

			pr_err("%s: No fetch buffer rc= %d buf= %pK\n",

				__func__, rc, buf);

			mutex_unlock(&vfe_dev->buf_mgr->lock);

			return -EINVAL;

		}

		mapped_info = buf->mapped_info[0];

		buf->state = MSM_ISP_BUFFER_STATE_DISPATCHED;

		mutex_unlock(&vfe_dev->buf_mgr->lock);

	} else {

		rc = vfe_dev->buf_mgr->ops->map_buf(vfe_dev->buf_mgr,

			&mapped_info, fe_cfg->fd);
@@ -1163,14 +1166,15 @@ int msm_vfe47_start_fetch_engine_multi_pass(struct vfe_device *vfe_dev, 
		mutex_lock(&vfe_dev->buf_mgr->lock);

		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(

			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);

		mutex_unlock(&vfe_dev->buf_mgr->lock);

		if (rc < 0 || !buf) {

			pr_err("%s: No fetch buffer rc= %d buf= %pK\n",

				__func__, rc, buf);

			mutex_unlock(&vfe_dev->buf_mgr->lock);

			return -EINVAL;

		}

		mapped_info = buf->mapped_info[0];

		buf->state = MSM_ISP_BUFFER_STATE_DISPATCHED;

		mutex_unlock(&vfe_dev->buf_mgr->lock);

	} else {

		rc = vfe_dev->buf_mgr->ops->map_buf(vfe_dev->buf_mgr,

			&mapped_info, fe_cfg->fd);

drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c

+4 −0
Original line number Diff line number Diff line
@@ -4032,10 +4032,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg) 
				pr_err("%s: stream_info is null", __func__);

				return -EINVAL;

			}

			mutex_lock(&vfe_dev->buf_mgr->lock);

			rc = msm_isp_request_frame(vfe_dev, stream_info,

				update_info->user_stream_id,

				update_info->frame_id,

				MSM_ISP_INVALID_BUF_INDEX);

			mutex_unlock(&vfe_dev->buf_mgr->lock);

			if (rc)

				pr_err("%s failed to request frame!\n",

					__func__);
@@ -4087,10 +4089,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg) 
			pr_err("%s: stream_info is null", __func__);

			return -EINVAL;

		}

		mutex_lock(&vfe_dev->buf_mgr->lock);

		rc = msm_isp_request_frame(vfe_dev, stream_info,

			req_frm->user_stream_id,

			req_frm->frame_id,

			req_frm->buf_index);

		mutex_unlock(&vfe_dev->buf_mgr->lock);

		if (rc)

			pr_err("%s failed to request frame!\n",

				__func__);