Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 809d743b authored Jan 22, 2018 by Meera Gande Committed by Gerrit - the friendly Code Review server Feb 12, 2018

mm-camera2:isp2: Handle use after free buffer



In the code, start_fetch can try to access the
buffer pointer variable after free, as the
same pointer can be freed at RELEASE_BUF call
at the same time.

Change-Id: Ic83f22336504cf67afe12131f791eee25477f011
Signed-off-by: Meera Gande <mgande@codeaurora.org>

parent a2143369

drivers/media/platform/msm/camera_v2/isp/msm_isp40.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1112,8 +1112,10 @@ static int msm_vfe40_start_fetch_engine_multi_pass(struct vfe_device *vfe_dev,
		fe_cfg->stream_id);
		vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;

		mutex_lock(&vfe_dev->buf_mgr->lock);
		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
		vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
		mutex_unlock(&vfe_dev->buf_mgr->lock);
		if (rc < 0 \|\| !buf) {
		pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
		__func__, rc, buf);

drivers/media/platform/msm/camera_v2/isp/msm_isp44.c

+4 −1

Original line number	Diff line number	Diff line
		/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -879,8 +879,11 @@ static int msm_vfe44_fetch_engine_start(struct vfe_device *vfe_dev,
		vfe_dev->buf_mgr, fe_cfg->session_id,
		fe_cfg->stream_id);
		vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;

		mutex_lock(&vfe_dev->buf_mgr->lock);
		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
		vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
		mutex_unlock(&vfe_dev->buf_mgr->lock);
		if (rc < 0) {
		pr_err("%s: No fetch buffer\n", __func__);
		return -EINVAL;

drivers/media/platform/msm/camera_v2/isp/msm_isp46.c

+3 −1

Original line number	Diff line number	Diff line
		/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -824,8 +824,10 @@ static int msm_vfe46_start_fetch_engine(struct vfe_device *vfe_dev,
		fe_cfg->stream_id);
		vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;

		mutex_lock(&vfe_dev->buf_mgr->lock);
		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
		vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
		mutex_unlock(&vfe_dev->buf_mgr->lock);
		if (rc < 0 \|\| !buf) {
		pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
		__func__, rc, buf);

drivers/media/platform/msm/camera_v2/isp/msm_isp47.c

+3 −1

Original line number	Diff line number	Diff line
		/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
		/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
		*
		* This program is free software; you can redistribute it and/or modify
		* it under the terms of the GNU General Public License version 2 and
		@@ -1113,8 +1113,10 @@ int msm_vfe47_start_fetch_engine_multi_pass(struct vfe_device *vfe_dev,
		fe_cfg->stream_id);
		vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;

		mutex_lock(&vfe_dev->buf_mgr->lock);
		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
		vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
		mutex_unlock(&vfe_dev->buf_mgr->lock);
		if (rc < 0 \|\| !buf) {
		pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
		__func__, rc, buf);