diff mbox series

media: venus: fix use after free for registeredbufs

Message ID 20200306002321.3344-1-jkardatzke@google.com
State New
Headers show
Series media: venus: fix use after free for registeredbufs | expand

Commit Message

Jeffrey Kardatzke March 6, 2020, 12:23 a.m. UTC 
In dynamic bufmode we do not manage the buffers in the registeredbufs
list, so do not add them there when they are initialized. Adding them
there was causing a use after free of the list_head struct in the buffer
when new buffers were allocated after existing buffers were freed.

Signed-off-by: Jeffrey Kardatzke <jkardatzke@google.com>
---
 drivers/media/platform/qcom/venus/helpers.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/drivers/media/platform/qcom/venus/helpers.c b/drivers/media/platform/qcom/venus/helpers.c
index bcc603804041..688a3593b49b 100644
--- a/drivers/media/platform/qcom/venus/helpers.c
+++ b/drivers/media/platform/qcom/venus/helpers.c
@@ -1054,8 +1054,10 @@  int venus_helper_vb2_buf_init(struct vb2_buffer *vb)
 	buf->size = vb2_plane_size(vb, 0);
 	buf->dma_addr = sg_dma_address(sgt->sgl);
 
-	if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
+	if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE &&
+	    !is_dynamic_bufmode(inst)) {
 		list_add_tail(&buf->reg_list, &inst->registeredbufs);
+	}
 
 	return 0;
 }