msm: camera: Fix Use after free bug in msm_vb2.c.

#include "cam_hw_ops.h"

#include <media/msmb_generic_buf_mgr.h>

static struct v4l2_device *msm_v4l2_dev;

static struct list_head    ordered_sd_list;

#define msm_queue_find(queue, type, member, func, data) ({\

	unsigned long flags;					\

	struct msm_queue_head *__q = (queue);			\

	type *node = 0; \

	type *node = NULL; \

	typeof(node) __ret = NULL; \

	msm_queue_find_func __f = (func); \

	spin_lock_irqsave(&__q->lock, flags);			\

	struct msm_session *session = NULL;

	struct msm_stream  *stream = NULL;

	unsigned long flags;

	int try_count = 0;

	session = msm_queue_find(msm_session_q, struct msm_session,

		list, __msm_queue_find_session, &session_id);

	if (!session)

		return;

	while (1) {

		if (try_count > 5) {

			pr_err("%s : not able to delete stream %d\n",

				__func__, __LINE__);

			break;

		}

		write_lock(&session->stream_rwlock);

		try_count++;

		stream = msm_queue_find(&session->stream_q, struct msm_stream,

			list, __msm_queue_find_stream, &stream_id);

	if (!stream)

		if (!stream) {

			write_unlock(&session->stream_rwlock);

			return;

		}

		if (msm_vb2_get_stream_state(stream) != 1) {

			write_unlock(&session->stream_rwlock);

			continue;

		}

		spin_lock_irqsave(&(session->stream_q.lock), flags);

		list_del_init(&stream->list);

		session->stream_q.len--;

		kfree(stream);

		stream = NULL;

		spin_unlock_irqrestore(&(session->stream_q.lock), flags);

		write_unlock(&session->stream_rwlock);

		break;

	}

}

EXPORT_SYMBOL(msm_delete_stream);

	mutex_init(&session->lock);

	mutex_init(&session->lock_q);

	mutex_init(&session->close_lock);

	rwlock_init(&session->stream_rwlock);

	if (gpu_limit) {

		session->sysfs_pwr_limit = kgsl_pwr_limits_add(KGSL_DEVICE_3D0);

#endif

};

struct msm_stream *msm_get_stream(unsigned int session_id,

	unsigned int stream_id)

struct msm_session *msm_get_session(unsigned int session_id)

{

	struct msm_session *session;

	struct msm_stream *stream;

	session = msm_queue_find(msm_session_q, struct msm_session,

		list, __msm_queue_find_session, &session_id);

	if (!session)

		return ERR_PTR(-EINVAL);

	return session;

}

EXPORT_SYMBOL(msm_get_session);

struct msm_stream *msm_get_stream(struct msm_session *session,

	unsigned int stream_id)

{

	struct msm_stream *stream;

	stream = msm_queue_find(&session->stream_q, struct msm_stream,

		list, __msm_queue_find_stream, &stream_id);

}

EXPORT_SYMBOL(msm_get_stream_from_vb2q);

struct msm_session *msm_get_session_from_vb2q(struct vb2_queue *q)

{

	struct msm_session *session;

	struct msm_stream *stream;

	unsigned long flags1;

	unsigned long flags2;

	spin_lock_irqsave(&msm_session_q->lock, flags1);

	list_for_each_entry(session, &(msm_session_q->list), list) {

		spin_lock_irqsave(&(session->stream_q.lock), flags2);

		list_for_each_entry(

			stream, &(session->stream_q.list), list) {

			if (stream->vb2_q == q) {

				spin_unlock_irqrestore

					(&(session->stream_q.lock), flags2);

				spin_unlock_irqrestore

					(&msm_session_q->lock, flags1);

				return session;

			}

		}

		spin_unlock_irqrestore(&(session->stream_q.lock), flags2);

	}

	spin_unlock_irqrestore(&msm_session_q->lock, flags1);

	return NULL;

}

EXPORT_SYMBOL(msm_get_session_from_vb2q);

#ifdef CONFIG_COMPAT

long msm_copy_camera_private_ioctl_args(unsigned long arg,

	struct msm_camera_private_ioctl_arg *k_ioctl,

	struct mutex lock;

	struct mutex lock_q;

	struct mutex close_lock;

	rwlock_t	stream_rwlock;

	struct kgsl_pwr_limit *sysfs_pwr_limit;

};

void msm_delete_stream(unsigned int session_id, unsigned int stream_id);

int  msm_create_command_ack_q(unsigned int session_id, unsigned int stream_id);

void msm_delete_command_ack_q(unsigned int session_id, unsigned int stream_id);

struct msm_stream *msm_get_stream(unsigned int session_id,

struct msm_session *msm_get_session(unsigned int session_id);

struct msm_stream *msm_get_stream(struct msm_session *session,

	unsigned int stream_id);

struct vb2_queue *msm_get_stream_vb2q(unsigned int session_id,

	unsigned int stream_id);

struct msm_stream *msm_get_stream_from_vb2q(struct vb2_queue *q);

struct msm_session *msm_get_session_from_vb2q(struct vb2_queue *q);

struct msm_session *msm_session_find(unsigned int session_id);

#ifdef CONFIG_COMPAT

long msm_copy_camera_private_ioctl_args(unsigned long arg,

/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.

/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and

int msm_vb2_buf_init(struct vb2_buffer *vb)

{

	struct msm_stream *stream;

	struct msm_session *session;

	struct msm_vb2_buffer *msm_vb2_buf;

	struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb);

	session = msm_get_session_from_vb2q(vb->vb2_queue);

	if (IS_ERR_OR_NULL(session))

		return -EINVAL;

	read_lock(&session->stream_rwlock);

	stream = msm_get_stream_from_vb2q(vb->vb2_queue);

	if (!stream) {

		pr_err("%s: Couldn't find stream\n", __func__);

		read_unlock(&session->stream_rwlock);

		return -EINVAL;

	}

	msm_vb2_buf = container_of(vbuf, struct msm_vb2_buffer, vb2_v4l2_buf);

	msm_vb2_buf->in_freeq = 0;

	read_unlock(&session->stream_rwlock);

	return 0;

}

{

	struct msm_vb2_buffer *msm_vb2;

	struct msm_stream *stream;

	struct msm_session *session;

	unsigned long flags;

	struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb);

		return;

	}

	session = msm_get_session_from_vb2q(vb->vb2_queue);

	if (IS_ERR_OR_NULL(session))

		return;

	read_lock(&session->stream_rwlock);

	stream = msm_get_stream_from_vb2q(vb->vb2_queue);

	if (!stream) {

		pr_err("%s:%d] NULL stream", __func__, __LINE__);

		read_unlock(&session->stream_rwlock);

		return;

	}

	spin_lock_irqsave(&stream->stream_lock, flags);

	list_add_tail(&msm_vb2->list, &stream->queued_list);

	spin_unlock_irqrestore(&stream->stream_lock, flags);

	read_unlock(&session->stream_rwlock);

}

static void msm_vb2_buf_finish(struct vb2_buffer *vb)

{

	struct msm_vb2_buffer *msm_vb2;

	struct msm_stream *stream;

	struct msm_session *session;

	unsigned long flags;

	struct msm_vb2_buffer *msm_vb2_entry, *temp;

	struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb);

		return; 

	}

	session = msm_get_session_from_vb2q(vb->vb2_queue);

	if (IS_ERR_OR_NULL(session))

		return;

	read_lock(&session->stream_rwlock);

	stream = msm_get_stream_from_vb2q(vb->vb2_queue);

	if (!stream) {

		pr_err("%s:%d] NULL stream", __func__, __LINE__);

		read_unlock(&session->stream_rwlock);

		return;

	}

		}

	}

	spin_unlock_irqrestore(&stream->stream_lock, flags);

	read_unlock(&session->stream_rwlock);

	return;

}

{

	struct msm_vb2_buffer *msm_vb2, *temp;

	struct msm_stream *stream;

	struct msm_session *session;

	unsigned long flags;

	struct vb2_v4l2_buffer *vb2_v4l2_buf;

	session = msm_get_session_from_vb2q(q);

	if (IS_ERR_OR_NULL(session))

		return;

	read_lock(&session->stream_rwlock);

	stream = msm_get_stream_from_vb2q(q);

	if (!stream) {

		pr_err_ratelimited("%s:%d] NULL stream", __func__, __LINE__);

		read_unlock(&session->stream_rwlock);

		return;

	}

			msm_vb2->in_freeq = 0;

		}

	spin_unlock_irqrestore(&stream->stream_lock, flags);

	read_unlock(&session->stream_rwlock);

}

int msm_vb2_get_stream_state(struct msm_stream *stream)

{

	struct msm_vb2_buffer *msm_vb2, *temp;

	unsigned long flags;

	int rc = 1;

	spin_lock_irqsave(&stream->stream_lock, flags);

	list_for_each_entry_safe(msm_vb2, temp, &(stream->queued_list), list) {

		if (msm_vb2->in_freeq != 0) {

			rc = 0;

			break;

		}

	}

	spin_unlock_irqrestore(&stream->stream_lock, flags);

	return rc;

}

EXPORT_SYMBOL(msm_vb2_get_stream_state);

static struct vb2_ops msm_vb2_get_q_op = {

	.queue_setup	= msm_vb2_queue_setup,

	unsigned int stream_id)

{

	struct msm_stream *stream;

	struct msm_session *session;

	struct vb2_v4l2_buffer *vb2_v4l2_buf = NULL;

	struct msm_vb2_buffer *msm_vb2 = NULL;

	unsigned long flags;

	stream = msm_get_stream(session_id, stream_id);

	if (IS_ERR_OR_NULL(stream))

	session = msm_get_session(session_id);

	if (IS_ERR_OR_NULL(session))

		return NULL;

	read_lock(&session->stream_rwlock);

	stream = msm_get_stream(session, stream_id);

	if (IS_ERR_OR_NULL(stream)) {

		read_unlock(&session->stream_rwlock);

		return NULL;

	}

	spin_lock_irqsave(&stream->stream_lock, flags);

	if (!stream->vb2_q) {

	vb2_v4l2_buf = NULL;

end:

	spin_unlock_irqrestore(&stream->stream_lock, flags);

	read_unlock(&session->stream_rwlock);

	return vb2_v4l2_buf;

}

	unsigned int stream_id, uint32_t index)

{

	struct msm_stream *stream;

	struct msm_session *session;

	struct vb2_v4l2_buffer *vb2_v4l2_buf = NULL;

	struct msm_vb2_buffer *msm_vb2 = NULL;

	unsigned long flags;

	stream = msm_get_stream(session_id, stream_id);

	if (IS_ERR_OR_NULL(stream))

	session = msm_get_session(session_id);

	if (IS_ERR_OR_NULL(session))

		return NULL;

	read_lock(&session->stream_rwlock);

	stream = msm_get_stream(session, stream_id);

	if (IS_ERR_OR_NULL(stream)) {

		read_unlock(&session->stream_rwlock);

		return NULL;

	}

	spin_lock_irqsave(&stream->stream_lock, flags);

	vb2_v4l2_buf = NULL;

end:

	spin_unlock_irqrestore(&stream->stream_lock, flags);

	read_unlock(&session->stream_rwlock);

	return vb2_v4l2_buf;

}

				unsigned int stream_id)

{

	struct msm_stream *stream;

	struct msm_session *session;

	struct msm_vb2_buffer *msm_vb2;

	struct vb2_v4l2_buffer *vb2_v4l2_buf = NULL;

	int rc = 0;

	unsigned long flags;

	stream = msm_get_stream(session_id, stream_id);

	if (IS_ERR_OR_NULL(stream))

	session = msm_get_session(session_id);

	if (IS_ERR_OR_NULL(session))

		return -EINVAL;

	read_lock(&session->stream_rwlock);

	stream = msm_get_stream(session, stream_id);

	if (IS_ERR_OR_NULL(stream)) {

		read_unlock(&session->stream_rwlock);

		return -EINVAL;

	}

	spin_lock_irqsave(&stream->stream_lock, flags);

	if (vb) {

		list_for_each_entry(msm_vb2, &(stream->queued_list), list) {

		rc = -EINVAL;

	}

	spin_unlock_irqrestore(&stream->stream_lock, flags);

	read_unlock(&session->stream_rwlock);

	return rc;

}

	unsigned long flags;

	struct msm_vb2_buffer *msm_vb2;

	struct msm_stream *stream;

	struct msm_session *session;

	struct vb2_v4l2_buffer *vb2_v4l2_buf = NULL;

	int rc = 0;

	stream = msm_get_stream(session_id, stream_id);

	if (IS_ERR_OR_NULL(stream))

	session = msm_get_session(session_id);

	if (IS_ERR_OR_NULL(session))

		return -EINVAL;

	read_lock(&session->stream_rwlock);

	stream = msm_get_stream(session, stream_id);

	if (IS_ERR_OR_NULL(stream)) {

		read_unlock(&session->stream_rwlock);

		return -EINVAL;

	}

	spin_lock_irqsave(&stream->stream_lock, flags);

	if (vb) {

		list_for_each_entry(msm_vb2, &(stream->queued_list), list) {

		rc = -EINVAL;

	}

	spin_unlock_irqrestore(&stream->stream_lock, flags);

	read_unlock(&session->stream_rwlock);

	return rc;

}

				uint32_t index)

{

	struct msm_stream *stream;

	struct msm_session *session;

	struct vb2_v4l2_buffer *vb2_v4l2_buf = NULL;

	struct msm_vb2_buffer *msm_vb2 = NULL;

	unsigned long flags;

	long rc = -EINVAL;

	stream = msm_get_stream(session_id, stream_id);

	if (IS_ERR_OR_NULL(stream))

	session = msm_get_session(session_id);

	if (IS_ERR_OR_NULL(session))

		return rc;

	read_lock(&session->stream_rwlock);

	stream = msm_get_stream(session, stream_id);

	if (IS_ERR_OR_NULL(stream)) {

		read_unlock(&session->stream_rwlock);

		return -EINVAL;

	}

	spin_lock_irqsave(&stream->stream_lock, flags);

	if (!stream->vb2_q) {

end:

	spin_unlock_irqrestore(&stream->stream_lock, flags);

	read_unlock(&session->stream_rwlock);

	return rc;

}

EXPORT_SYMBOL(msm_vb2_return_buf_by_idx);

	unsigned long flags;

	struct msm_vb2_buffer *msm_vb2;

	struct msm_stream *stream;

	struct msm_session *session;

	struct vb2_v4l2_buffer *vb2_v4l2_buf = NULL;

	stream = msm_get_stream(session_id, stream_id);

	if (IS_ERR_OR_NULL(stream))

	session = msm_get_session(session_id);

	if (IS_ERR_OR_NULL(session))

		return -EINVAL;

	read_lock(&session->stream_rwlock);

	stream = msm_get_stream(session, stream_id);

	if (IS_ERR_OR_NULL(stream)) {

		read_unlock(&session->stream_rwlock);

		return -EINVAL;

	}

	spin_lock_irqsave(&stream->stream_lock, flags);

	list_for_each_entry(msm_vb2, &(stream->queued_list), list) {

		vb2_v4l2_buf = &(msm_vb2->vb2_v4l2_buf);

		msm_vb2->in_freeq = 0;

	}

	spin_unlock_irqrestore(&stream->stream_lock, flags);

	read_unlock(&session->stream_rwlock);

	return 0;

}

/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.

/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and

int msm_vb2_request_cb(struct msm_sd_req_vb2_q *req_sd);

long msm_vb2_return_buf_by_idx(int session_id, unsigned int stream_id,

	uint32_t index);

int msm_vb2_get_stream_state(struct msm_stream *stream);

#endif /*_MSM_VB_H */