From patchwork Wed Jun 14 13:05:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 692845 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 13415EB64DC for ; Wed, 14 Jun 2023 13:05:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244821AbjFNNFt (ORCPT ); Wed, 14 Jun 2023 09:05:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57484 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244465AbjFNNFr (ORCPT ); Wed, 14 Jun 2023 09:05:47 -0400 Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B06D1BD4 for ; Wed, 14 Jun 2023 06:05:46 -0700 (PDT) Received: by mail-lf1-x131.google.com with SMTP id 2adb3069b0e04-4f764e92931so1172749e87.2 for ; Wed, 14 Jun 2023 06:05:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1686747945; x=1689339945; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=NpXYhh0i7/zZRYDxH3cRSLHICiT4WhBUrDQHv8jv/TY=; b=qlUG9/5FtENTa5fXIoKa0+kkYpdwqZlddkMKUS1eMk41OvnM03aOFTCm8C12VYu5UF e3hdlRmjofPpUDkqUnJoe3KTrF43HT36YctkAS5moAW4GK4EAZIWaH/xWK6dYf0DMJoq 8BT/1YsT9/x4o6Nd0e9MsFT0pOUS4BU8BD8NyJrA4gG7wnkZPCwVW4z+LMt25x6Zp4ey ir0pUSpEHtIe4inXE5FyrgmbF8QrCzTiwjqzaWv+S6yCUJ0v/Ni6JfwZ96wMrmGJjGLM NWfSDV5SWfs9Y+taaKVh01aIaeu8WVmgxIdOlEEvjfKk3GzMJVjbWg2BKZ8mnJRBY3Jj BgZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686747945; x=1689339945; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NpXYhh0i7/zZRYDxH3cRSLHICiT4WhBUrDQHv8jv/TY=; b=SRng3+0qYHkjKnpqNeuFtY6VnXKj8c5+/8dUbnbQLtTH36wVDFlFxvcBYZaIyFppg3 Ky019S0fGwIR7GMhbu1Xf0FiUKgafFGlvZfkmviJUfLzFdNzKPXMp7EoaNVNcC8pZJnU stb62bxojZdH/8xaELr47tzytSr3GsfAOeT7ph7ykKE/36+i5ynpzu7ewh4eE/alG8Fx VLClUeH1bA+tZ1NTJeaulHGZLUxxxFbaiyxWW5Z9VY/S42UMibo65koZ55jvp11S4uDo MT5CyAFi6Fxd/TSfSEDlNj/dq4cnltV/2esTIF+YPtri0cKuYgbefeUS6l7qBySmf78x REuQ== X-Gm-Message-State: AC+VfDx4gVTwMUkE8oek74w92E5U9cdAmZvcSrleXJ/KU/DlhGwjoZBO B93xZ2S/2uqfN3ckrAIZekRX1w== X-Google-Smtp-Source: ACHHUZ6K+MrBRSgvgD8L8TQx8zMgyRcFs1eYiYo6kMrefG96FrjoHSgnXbgGKRKIz+4j3Lk5P2pGIw== X-Received: by 2002:a19:5045:0:b0:4f6:8156:f6e with SMTP id z5-20020a195045000000b004f681560f6emr5956110lfj.53.1686747944779; Wed, 14 Jun 2023 06:05:44 -0700 (PDT) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id z15-20020a7bc7cf000000b003f6129d2e30sm17543647wmk.1.2023.06.14.06.05.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jun 2023 06:05:43 -0700 (PDT) Date: Wed, 14 Jun 2023 16:05:39 +0300 From: Dan Carpenter To: Yunfei Dong Cc: Tiffany Lin , Andrew-CT Chen , Mauro Carvalho Chehab , Matthias Brugger , AngeloGioacchino Del Regno , Hans Verkuil , linux-media@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, kernel-janitors@vger.kernel.org Subject: [PATCH 1/4] media: mediatek: vcodec: fix potential double free Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The "lat_buf->private_data" needs to be set to NULL to prevent a double free. How this would happen is if vdec_msg_queue_init() failed twice in a row and on the second time it failed earlier than on the first time. The vdec_msg_queue_init() function has a loop which does: for (i = 0; i < NUM_BUFFER_COUNT; i++) { Each iteration initializes one element in the msg_queue->lat_buf[] array and then the clean up function vdec_msg_queue_deinit() frees each element of the msg_queue->lat_buf[] array. This clean up code relies on the assumption that every element is either initialized or zeroed. Leaving a freed pointer which is non-zero breaks the assumption. Fixes: b199fe46f35c ("media: mtk-vcodec: Add msg queue feature for lat and core architecture") Signed-off-by: Dan Carpenter Reviewed-by: Nicolas Dufresne --- drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c b/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c index f555341ae708..92ac82eb444e 100644 --- a/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c +++ b/drivers/media/platform/mediatek/vcodec/vdec_msg_queue.c @@ -231,6 +231,7 @@ void vdec_msg_queue_deinit(struct vdec_msg_queue *msg_queue, mtk_vcodec_mem_free(ctx, mem); kfree(lat_buf->private_data); + lat_buf->private_data = NULL; } cancel_work_sync(&msg_queue->core_work); From patchwork Wed Jun 14 13:07:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 692844 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1B680EB64D8 for ; Wed, 14 Jun 2023 13:07:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244127AbjFNNH1 (ORCPT ); Wed, 14 Jun 2023 09:07:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58570 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236505AbjFNNHZ (ORCPT ); Wed, 14 Jun 2023 09:07:25 -0400 Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 426F41BE8 for ; Wed, 14 Jun 2023 06:07:23 -0700 (PDT) Received: by mail-lf1-x12d.google.com with SMTP id 2adb3069b0e04-4f619c2ba18so8104930e87.1 for ; Wed, 14 Jun 2023 06:07:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1686748041; x=1689340041; h=in-reply-to:content-disposition:mime-version:message-id:subject:cc :to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=lZBZeD0GaGiCmPYETOfSpqVss+oC7CK9FRJirVMLVdQ=; b=cIhiHvfxTBhBdrH8q7x9CzmG6haalwPBeS1QPU8AY0haA5sb8kRwSyeGVjLkzIlDsV OBQcpx6TQIVSAVSgrYwGxQCxIw+XL5NapnwOKGnKd8pMhWMDXdDNN1U6lEF4+xriRE1L yJmSOXvQm+YDRtlj9Wtsc6bEAEZMVZi8O/W1CzvyYDy1xampTtUyAb3jqP123Hnj7bbK t03RVgLKddZHc2/BjUPSo1VA+tsBKrJPQ3/xc8RCP4r1+HVST6h80tuEUHO56MhSqkkd Doqa017D6ukUun0TBPA/mmvcri516l3KQteAxPWHpeHwt2E5xiRMZRaG/8lrS7y96v99 9h/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686748041; x=1689340041; h=in-reply-to:content-disposition:mime-version:message-id:subject:cc :to:from:date:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lZBZeD0GaGiCmPYETOfSpqVss+oC7CK9FRJirVMLVdQ=; b=cOqaisdOELSgr40b33GCQkGr5jQeGtALyI1vTh8fjF7arwBQIDG7nfZFt5UKaxWgSU Q2dvZqZi5dvboCt4bpIh1JcNOzTbIC4CzxiPm6W4wlQ+Cxopr9TP4LnJkowPB/oVc314 vj7MHDkHQEcqaY7mqVfUj0Lh5d53GKxuV+/pMSfWn6XrivaVfKBS3R7URhceGTkBsx21 Z9QgxTqVoqnyvK4VnJSeTU3Md9h7K+bxMl4zU7IzRIC7DfzZSo7O5hZRhSMVwwkdCLy1 K8O3meey6FjUAnuEJaA0t0G/NVzeP+aiI/C+Goi/cslztiITuYI1q16baryD9FYo/e2k BMEQ== X-Gm-Message-State: AC+VfDw5O21fBONTfGxZEJR5HdKz5OC1hxq55lnAdiFiYT2hlNU1nttK FS91J7UfoKol3NwiAOBWEqVyng== X-Google-Smtp-Source: ACHHUZ7ZMifrDxtIycZi/rDNVoPjvHN6VaI8o4UGCLlqwe0otV/MQAZDcjR62IQuaO1/6WnuCTWntg== X-Received: by 2002:a19:8c4b:0:b0:4db:3d51:6896 with SMTP id i11-20020a198c4b000000b004db3d516896mr7552938lfj.11.1686748041459; Wed, 14 Jun 2023 06:07:21 -0700 (PDT) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id l7-20020a7bc447000000b003f7f36896f9sm17299580wmi.42.2023.06.14.06.07.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jun 2023 06:07:19 -0700 (PDT) Date: Wed, 14 Jun 2023 16:07:15 +0300 From: Dan Carpenter To: Yunfei Dong Cc: Tiffany Lin , Andrew-CT Chen , Mauro Carvalho Chehab , Matthias Brugger , AngeloGioacchino Del Regno , Hans Verkuil , linux-media@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, kernel-janitors@vger.kernel.org Subject: [PATCH 3/4] media: mediatek: vcodec: Fix potential crash in mtk_vcodec_dbgfs_remove() Message-ID: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Mailer: git-send-email haha only kidding Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The list iterator "dbgfs_inst" is always non-NULL. This means that the test for NULL inside the loop is unnecessary and it also means that the test for NULL outside the loop will not work. If we do not find the item on the list with the correct the ctx_id then it will free invalid memory leading to a crash. Fixes: cd403a6a0419 ("media: mediatek: vcodec: Add a debugfs file to get different useful information") Signed-off-by: Dan Carpenter --- .../media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c index 2151c3967684..2ebf68d33d57 100644 --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_dbgfs.c @@ -166,16 +166,13 @@ void mtk_vcodec_dbgfs_remove(struct mtk_vcodec_dev *vcodec_dev, int ctx_id) struct mtk_vcodec_dbgfs_inst *dbgfs_inst; list_for_each_entry(dbgfs_inst, &vcodec_dev->dbgfs.dbgfs_head, node) { - if (dbgfs_inst && dbgfs_inst->inst_id == ctx_id) { + if (dbgfs_inst->inst_id == ctx_id) { vcodec_dev->dbgfs.inst_count--; - break; + list_del(&dbgfs_inst->node); + kfree(dbgfs_inst); + return; } } - - if (dbgfs_inst) { - list_del(&dbgfs_inst->node); - kfree(dbgfs_inst); - } } EXPORT_SYMBOL_GPL(mtk_vcodec_dbgfs_remove);