Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

mm-camera2:isp2: Handle use after free buffer 

In the code, start_fetch can try to access the
buffer pointer variable after free, as the
same pointer can be freed at RELEASE_BUF call at
the same time.

Change-Id: Ic83f22336504cf67afe12131f791eee25477f011
Signed-off-by: Meera Gande <mgande@codeaurora.org>
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
This commit is contained in:
Meera Gande 2019-10-30 16:46:07 +05:30 committed by syphyr
parent 1fd85fc4b7
commit d6f20078ac
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
View File

@ -1079,14 +1079,16 @@ static long msm_isp_ioctl_unlocked(struct v4l2_subdev *sd,
mutex_unlock(&vfe_dev->core_mutex);
break;
case VIDIOC_MSM_ISP_AXI_RESTART:
mutex_lock(&vfe_dev->core_mutex);
mutex_lock(&vfe_dev->buf_mgr->lock);
if (atomic_read(&vfe_dev->error_info.overflow_state)
!= HALT_ENFORCED) {
mutex_lock(&vfe_dev->core_mutex);
rc = msm_isp_stats_restart(vfe_dev);
rc |= msm_isp_axi_restart(vfe_dev, arg);
} else {
pr_err_ratelimited("Halt Enforced");
}
mutex_unlock(&vfe_dev->buf_mgr->lock);
mutex_unlock(&vfe_dev->core_mutex);
break;
case VIDIOC_MSM_ISP_INPUT_CFG: