Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e543a787 authored by Govindaraj Rajagopal's avatar Govindaraj Rajagopal Committed by Gerrit - the friendly Code Review server
Browse files

msm: vidc: change cvp buffer add sequence 



[1] Due to race between cvp_register & cvp_unregister
on same cvp buffer lead to Use-After-Free issue.
[2] To address this issue, add cvp buffer into a list
inst->cvpbufs.list only after completing all required
steps on registration sequence.

Change-Id: If9f22d17e64f003528d5653f81404f3fcc6e88f5
Signed-off-by: default avatarGovindaraj Rajagopal <grajagop@codeaurora.org>
parent 951bb6d9

msm/vidc/msm_cvp_internal.c

+4 −7
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.

 * Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.

 */



#include "msm_cvp_internal.h"
@@ -364,9 +364,6 @@ static int msm_cvp_register_buffer(struct msm_vidc_inst *inst, 
		s_vpr_e(inst->sid, "%s: cbuf alloc failed\n", __func__);

		return -ENOMEM;

	}

	mutex_lock(&inst->cvpbufs.lock);

	list_add_tail(&cbuf->list, &inst->cvpbufs.list);

	mutex_unlock(&inst->cvpbufs.lock);



	memcpy(&cbuf->buf, buf, sizeof(struct msm_cvp_buffer));

	cbuf->smem.buffer_type = get_hal_buftype(__func__, buf->type,
@@ -393,14 +390,14 @@ static int msm_cvp_register_buffer(struct msm_vidc_inst *inst, 
		print_cvp_buffer(VIDC_ERR, "register failed", inst, cbuf);

		goto exit;

	}

	mutex_lock(&inst->cvpbufs.lock);

	list_add_tail(&cbuf->list, &inst->cvpbufs.list);

	mutex_unlock(&inst->cvpbufs.lock);

	return rc;



exit:

	if (cbuf->smem.device_addr)

		inst->smem_ops->smem_unmap_dma_buf(inst, &cbuf->smem);

	mutex_lock(&inst->cvpbufs.lock);

	list_del(&cbuf->list);

	mutex_unlock(&inst->cvpbufs.lock);

	kfree(cbuf);

	cbuf = NULL;