From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 28D8D3F86F7; Fri, 15 May 2026 16:28:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778862506; cv=none; b=M9JXFZ0EbwOxaXXOOBoWO15uG3/ZnWr8RvlmGKVHhi7lccrNzdCImMY4zB6oMjSkbqImE+n1eHA8AJtyfuPsPCtryTk+0sli+UkqkAJIghYdMRC68NFD+nGMJt/Wp25XLfnIFz6vgURcmwpfNbsspcdyGcXNvLLo/tPfd6wE8e4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778862506; c=relaxed/simple; bh=PlVrb7taUt8Qz5Xdf735/oB3zNi6x4p7HmcGWGQuZiQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DmL3Xv7AmV048cZB169HDXRWdWS5rqGbxVkUuDaEvxlcrmPA1n+qWMMr8IYMSRMrGeahPA6JWdvOWm1INjHO9JrUDURoY8sOyy9dPCj2BaQQllXxhjmOkwPUHRbF/DpRtUVnN/dB6Q/qyGokO/7il2HWuXu4EZSSd07+TR2B3yQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=pTXGbyIv; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="pTXGbyIv" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3B130C2BCC7; Fri, 15 May 2026 16:28:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778862505; bh=PlVrb7taUt8Qz5Xdf735/oB3zNi6x4p7HmcGWGQuZiQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pTXGbyIvQaNdOBePEO1KsPKaOceeEVmE7lE721bCAycn7xsoIfHvuVUDUMBwrxo/D 9MEmcNBU0rtKhpSLImc49kn841+LO5q9ROxzNilnOaLWBRrPp0LaC/Wmx5r8icSBfm B5rhd7RiomKzLDsBQ6uEL/PcxwG+XugxZNZydF9Q= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Dan Carpenter , Dikshita Agarwal , Vikash Garodia , Bryan ODonoghue , Hans Verkuil Subject: [PATCH 7.0 073/201] media: iris: Fix use-after-free in iris_release_internal_buffers() Date: Fri, 15 May 2026 17:48:11 +0200 Message-ID: <20260515154700.116356333@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260515154658.538039039@linuxfoundation.org> References: <20260515154658.538039039@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 7.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dikshita Agarwal commit f27cfdcfc916bb59297825805f4c3499f89f9e76 upstream. The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free. Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing. Reported-by: Dan Carpenter Closes: https://lore.kernel.org/lkml/aYXvKAX3Pg3sL37P@stanley.mountain/#r Signed-off-by: Dikshita Agarwal Reviewed-by: Vikash Garodia Fixes: 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") Cc: stable@vger.kernel.org Signed-off-by: Bryan O'Donoghue Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman --- drivers/media/platform/qcom/iris/iris_buffer.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/media/platform/qcom/iris/iris_buffer.c +++ b/drivers/media/platform/qcom/iris/iris_buffer.c @@ -582,10 +582,12 @@ static int iris_release_internal_buffers continue; if (!(buffer->attr & BUF_ATTR_QUEUED)) continue; + buffer->attr |= BUF_ATTR_PENDING_RELEASE; ret = hfi_ops->session_release_buf(inst, buffer); - if (ret) + if (ret) { + buffer->attr &= ~BUF_ATTR_PENDING_RELEASE; return ret; - buffer->attr |= BUF_ATTR_PENDING_RELEASE; + } } return 0;