Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4b02c344 authored by Govindaraj Rajagopal's avatar Govindaraj Rajagopal
Browse files

msm: vidc: resolve use-after-free problem 



msm_vidc_open() failure is freeing the inst structure which might have
been under use by other threads and hence use kref_put instead of kfree
instance in msm_vidc_open() to resolve use-after-free problem.

Change-Id: I611aa6347da6c884345890153c7f7e4525a4307c
Signed-off-by: default avatarGovindaraj Rajagopal <grajagop@codeaurora.org>
parent 50adf52c

msm/vidc/msm_vidc.c

+11 −9
Original line number Diff line number Diff line
@@ -1476,6 +1476,14 @@ static struct msm_vidc_inst_smem_ops msm_vidc_smem_ops = { 
	.smem_drain = msm_smem_memory_drain,

};



static void close_helper(struct kref *kref)

{

	struct msm_vidc_inst *inst = container_of(kref,

			struct msm_vidc_inst, kref);



	msm_vidc_destroy(inst);

}



void *msm_vidc_open(int core_id, int session_type)

{

	struct msm_vidc_inst *inst = NULL;
@@ -1598,7 +1606,9 @@ void *msm_vidc_open(int core_id, int session_type) 
	if (rc) {

		s_vpr_e(inst->sid,

			"Failed to move video instance to init state\n");

		goto fail_init;

		kref_put(&inst->kref, close_helper);

		inst = NULL;

		goto err_invalid_core;

	}



	if (msm_comm_check_for_inst_overload(core)) {
@@ -1786,14 +1796,6 @@ int msm_vidc_destroy(struct msm_vidc_inst *inst) 
	return 0;

}



static void close_helper(struct kref *kref)

{

	struct msm_vidc_inst *inst = container_of(kref,

			struct msm_vidc_inst, kref);



	msm_vidc_destroy(inst);

}



int msm_vidc_close(void *instance)

{

	struct msm_vidc_inst *inst = instance;