mm-camera2:isp2: Handle use after free buffer
In the code, start_fetch can try to access the buffer pointer variable after free, as the same pointer can be freed at RELEASE_BUF call at the same time. Change-Id: Ic83f22336504cf67afe12131f791eee25477f011 Signed-off-by: Meera Gande <mgande@codeaurora.org>
This commit is contained in:
parent
a5cabe9334
commit
d5c49b6b51
4 changed files with 13 additions and 4 deletions
|
@ -1,4 +1,4 @@
|
|||
/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
|
||||
/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
|
@ -1119,8 +1119,10 @@ static int msm_vfe40_start_fetch_engine_multi_pass(struct vfe_device *vfe_dev,
|
|||
fe_cfg->stream_id);
|
||||
vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;
|
||||
|
||||
mutex_lock(&vfe_dev->buf_mgr->lock);
|
||||
rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
|
||||
vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
|
||||
mutex_unlock(&vfe_dev->buf_mgr->lock);
|
||||
if (rc < 0 || !buf) {
|
||||
pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
|
||||
__func__, rc, buf);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
|
||||
/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
|
@ -891,8 +891,11 @@ static int msm_vfe44_fetch_engine_start(struct vfe_device *vfe_dev,
|
|||
vfe_dev->buf_mgr, fe_cfg->session_id,
|
||||
fe_cfg->stream_id);
|
||||
vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;
|
||||
|
||||
mutex_lock(&vfe_dev->buf_mgr->lock);
|
||||
rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
|
||||
vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
|
||||
mutex_unlock(&vfe_dev->buf_mgr->lock);
|
||||
if (rc < 0) {
|
||||
pr_err("%s: No fetch buffer\n", __func__);
|
||||
return -EINVAL;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
|
||||
/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
|
@ -833,8 +833,10 @@ static int msm_vfe46_start_fetch_engine(struct vfe_device *vfe_dev,
|
|||
fe_cfg->stream_id);
|
||||
vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;
|
||||
|
||||
mutex_lock(&vfe_dev->buf_mgr->lock);
|
||||
rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
|
||||
vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
|
||||
mutex_unlock(&vfe_dev->buf_mgr->lock);
|
||||
if (rc < 0 || !buf) {
|
||||
pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
|
||||
__func__, rc, buf);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
|
||||
/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 and
|
||||
|
@ -1153,8 +1153,10 @@ int msm_vfe47_start_fetch_engine_multi_pass(struct vfe_device *vfe_dev,
|
|||
fe_cfg->stream_id);
|
||||
vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;
|
||||
|
||||
mutex_lock(&vfe_dev->buf_mgr->lock);
|
||||
rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
|
||||
vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
|
||||
mutex_unlock(&vfe_dev->buf_mgr->lock);
|
||||
if (rc < 0 || !buf) {
|
||||
pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
|
||||
__func__, rc, buf);
|
||||
|
|
Loading…
Add table
Reference in a new issue