mm-camera2:isp2: Handle use after free buffer

author Meera Gande <mgande@codeaurora.org>

Mon, 22 Jan 2018 12:45:02 +0000 (18:15 +0530)

committer Meera Gande <mgande@codeaurora.org>

Tue, 23 Jan 2018 06:53:48 +0000 (12:23 +0530)
author Meera Gande <mgande@codeaurora.org>
Mon, 22 Jan 2018 12:45:02 +0000 (18:15 +0530)
committer Meera Gande <mgande@codeaurora.org>
Tue, 23 Jan 2018 06:53:48 +0000 (12:23 +0530)
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp40.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp40.c

index d3c4185..717e375 100644 (file)
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp40.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp40.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
@@ -1119,8 +1119,10 @@ static int msm_vfe40_start_fetch_engine_multi_pass(struct vfe_device *vfe_dev,
                                 fe_cfg->stream_id);
                 vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;
  
+               mutex_lock(&vfe_dev->buf_mgr->lock);
                 rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
                         vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
+               mutex_unlock(&vfe_dev->buf_mgr->lock);
                 if (rc < 0 || !buf) {
                         pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
                                 __func__, rc, buf);
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp44.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp44.c

index cc4dd5e..1d50354 100644 (file)
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp44.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp44.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
@@ -891,8 +891,11 @@ static int msm_vfe44_fetch_engine_start(struct vfe_device *vfe_dev,
                         vfe_dev->buf_mgr, fe_cfg->session_id,
                         fe_cfg->stream_id);
                 vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;
+
+               mutex_lock(&vfe_dev->buf_mgr->lock);
                 rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
                         vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
+               mutex_unlock(&vfe_dev->buf_mgr->lock);
                 if (rc < 0) {
                         pr_err("%s: No fetch buffer\n", __func__);
                         return -EINVAL;
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c

index 6326240..42787c6 100644 (file)
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
@@ -833,8 +833,10 @@ static int msm_vfe46_start_fetch_engine(struct vfe_device *vfe_dev,
                         fe_cfg->stream_id);
                 vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;
  
+               mutex_lock(&vfe_dev->buf_mgr->lock);
                 rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
                         vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
+               mutex_unlock(&vfe_dev->buf_mgr->lock);
                 if (rc < 0 || !buf) {
                         pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
                                 __func__, rc, buf);
diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c

index 146ed1f..121f1ab 100644 (file)
--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c
+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2013-2018, The Linux Foundation. All rights reserved.
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
@@ -1153,8 +1153,10 @@ int msm_vfe47_start_fetch_engine_multi_pass(struct vfe_device *vfe_dev,
                         fe_cfg->stream_id);
                 vfe_dev->fetch_engine_info.bufq_handle = bufq_handle;
  
+               mutex_lock(&vfe_dev->buf_mgr->lock);
                 rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
                         vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
+               mutex_unlock(&vfe_dev->buf_mgr->lock);
                 if (rc < 0 || !buf) {
                         pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
                                 __func__, rc, buf);
author	Meera Gande <mgande@codeaurora.org>
	Mon, 22 Jan 2018 12:45:02 +0000 (18:15 +0530)
committer	Meera Gande <mgande@codeaurora.org>
	Tue, 23 Jan 2018 06:53:48 +0000 (12:23 +0530)
drivers/media/platform/msm/camera_v2/isp/msm_isp40.c		patch \| blob \| history
drivers/media/platform/msm/camera_v2/isp/msm_isp44.c		patch \| blob \| history
drivers/media/platform/msm/camera_v2/isp/msm_isp46.c		patch \| blob \| history
drivers/media/platform/msm/camera_v2/isp/msm_isp47.c		patch \| blob \| history