From nobody Fri Apr 3 01:48:26 2026 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB9A71C860A for ; Mon, 16 Feb 2026 07:08:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771225682; cv=none; b=HlQXg9uHHdMDZZU2m+kPwHx2aYGDwVlcnt/aA2bZsinE7yLDmMYOPM/TvHD3nhEohsZY0ojKi2jUCiJ+FX6oceGtC6krKCFaKnTq5oyhrkuJ64dlWkq3eMYKfWQMmvLkZ921CEIso2i0rBypl/Ip1L5l7bv5UhqMb5VUmOmgceA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771225682; c=relaxed/simple; bh=LoHMRhwpy4wi9q82FqzTo9evwLCImd3dyKPb99tN/Yg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=AuBa6Q4yT29UYOhYtleqtGlyRbDUCJAIJW65JylpQIZl63sfxDzVsFgLvxLH8IkxE9Co7pOyNIrJh8a3hHzF87gtsVdrjqSXM5uBCcAcEs4hzay+BGPiB2525SWjZx4luQUFAgQ+BnM+rH/9nyRvqyqoGRmP9SkcwbqAYiD8dZE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=IeqAAiP9; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=JEefAqDG; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="IeqAAiP9"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="JEefAqDG" Received: from pps.filterd (m0279867.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 61FLtEX41998059 for ; Mon, 16 Feb 2026 07:08:00 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=qcppdkim1; bh=HHYaXoVjbeIMUr+E51fIUr kafe5pyMGEDShsm8l6+9o=; b=IeqAAiP95dMP/Z/I7Oeq51rROqtk0QIwS2RvtW gb7xdErtxXn2rzTs2wbgEtKqfZDp7LBRiyHKjMPAC/2+f59t3oFtaa5cW0p9Mi39 TfNybB/wOYlESlphimwqAsdnDX86LQf3XFDs9U6o1EZnJF8jON+LHeyixWr+oQ27 5raWCEA8UucTAbmABwaYBSuDzcPwGpKMaiJ8cB2Vg7J6LrzAgEIun+DSbvwufXde 8DqqOnT3niDBY5y1nALpIztuwXHJdXzFhC5+E81xQOcMUMlpmKodFFJpesWuPwAZ vWbboive8O/98k405nVBzLUj41VslOLoPoZ6Vei3nRMdwcSg== Received: from mail-pj1-f69.google.com (mail-pj1-f69.google.com [209.85.216.69]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4caerc3y7d-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Mon, 16 Feb 2026 07:08:00 +0000 (GMT) Received: by mail-pj1-f69.google.com with SMTP id 98e67ed59e1d1-3562bdba6f7so13786724a91.2 for ; Sun, 15 Feb 2026 23:07:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1771225679; x=1771830479; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=HHYaXoVjbeIMUr+E51fIUrkafe5pyMGEDShsm8l6+9o=; b=JEefAqDG/xK0i+FFVHBMeNjOd3dIoJ7NYDPZ5zgyY1LyNtndICEppGO2SUGvZetLq/ 0KZb+NRfatRnjM3lZ56dM45E8SNhbyHubVlJR+2tIyYLverH1X1e5R6e6UgqMcJAVtkv 4f5tNrP2HdC+OQzn3j03iWGsa/CMY2J8EUUWbxIt9NrA9OCCV/xFOuKspZq673MTzh21 3Ii2OwpJ+A1GC4jTum69PbYTJn0YvMMVWZq7XAEPE+PR6EevN9/tO72Rxu23qobVTpAs 5fyjEyqhO6b60BuyUUJmAd3uzecJrdoZvINFxxUbTsfxlyQ0VwP2EIwcrCX1G+Jiplyq Vqag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771225679; x=1771830479; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=HHYaXoVjbeIMUr+E51fIUrkafe5pyMGEDShsm8l6+9o=; b=TRkpaFEQK8mkR9A343YQGSxXXuloXCC0OFhchEncxszAM+e9Kqit94N6IAt9ciKkT7 Y5ufHgdsLBqlsZg/ExPqVlNhBkoZtdP7Aq23JA4FJZVCIqlbFrwC2BQqoA7jyxvPrZhJ KWb40Hxj2t/Zqv3i3KaZfmxlMKQJ7zRzRqgv9WD+iaOVr8GbAsD5rww2pqjTHoAeHuTS 0O3wHqgkf/VqmNFb/ySNycdF5bEmNyr32JiaOtptB4If+2EoRSXKXHYSPOAxs7QfbHRy 2I9dyo+OaIcO6JEQ4QPqSoSAkFgcCWSaw6loQ+Oev1vD5/vbSqLTOOKmltqrdPOsJf7R Ozsw== X-Forwarded-Encrypted: i=1; AJvYcCUTXMmpNz0Zt9JEgYNHp2KRPBAdL1kdT+83c4ZpxFkx2cRBzqyvZ7IrIb6U360jFgP5NKua/zx4QYR/NHY=@vger.kernel.org X-Gm-Message-State: AOJu0Yzc8565Z4P6ALY07Ket9h4JDwiMCNGrdZ53eFNsFo8dVfar4sVZ SKVN2HRCuMK3bvt0xzhon5DjjvaQzb+ODT/9SrAkdBHMiUPAQL28IbBS8pX3DWtFexAam3KVlRt JkvMYIX9KtHWtGEIXrg1JF9DpWN32N/Rz9kMV52VbWybJ5yNI74uvXR8wwfFSTOKN7a4= X-Gm-Gg: AZuq6aJ9TXa6XITOcI7OtBIli0eR8EDU0r+6GifsPKYlRr8mDBGTHzp+KvgfUEF6uTM nIVO8yRSvixSokfyYDy9/XgnybH0hSAw1gTAJ6U8Yn+Oh1Ryk9gTZ+eTe+0qWLizgYaoms4lWD5 sHkwc6/PFxP9QFGitPXnJmD8tK+9SHoVWDzbJGMeFFM2eDHq+R/ji3yf06zwUhQ4YZ0F42Fuc1R HYXiSgVTBpbeh/AcJd7yf/LYAk8kM9cdHqGW48x+TZhV9oA0ON6rBRrjrXdOQmFlq5pirYyuykZ vMsPVpSlOn27FK7ckr6pCjxZlaUHN/a8/knWqYW5t9D8pYNkA8avAJG3E6/KWyo/8xiCmlggJ2X qHvaRabZq3wXupaam/URuKV3p2ITkC/DpaHFTZgNKJcuz762uf4hYku1A05c= X-Received: by 2002:a17:90b:524b:b0:354:a065:ec3b with SMTP id 98e67ed59e1d1-356a7a88d7fmr9485768a91.27.1771225679362; Sun, 15 Feb 2026 23:07:59 -0800 (PST) X-Received: by 2002:a17:90b:524b:b0:354:a065:ec3b with SMTP id 98e67ed59e1d1-356a7a88d7fmr9485753a91.27.1771225678882; Sun, 15 Feb 2026 23:07:58 -0800 (PST) Received: from hu-dikshita-hyd.qualcomm.com ([202.46.23.25]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-3567eba9b2esm15634650a91.9.2026.02.15.23.07.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Feb 2026 23:07:58 -0800 (PST) From: Dikshita Agarwal Date: Mon, 16 Feb 2026 12:37:42 +0530 Subject: [PATCH] media: iris: Fix use-after-free in iris_release_internal_buffers() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260216-iris-smatch-fix-v1-1-51f6b41c43ab@oss.qualcomm.com> X-B4-Tracking: v=1; b=H4sIAD3CkmkC/x2MSQqAMAwAvyI5G6gVivUr4qHU1ObgQiMiSP9u8 DgDMy8IFSaBsXmh0M3Cx67QtQ3EHPaVkBdlsMY6Y7seubCgbOGKGRM/6IbkgjfJR0+g1VlI9X+ c5lo/eYrwd2EAAAA= X-Change-ID: 20260213-iris-smatch-fix-68f6a90f9c9e To: Vikash Garodia , Abhinav Kumar , Bryan O'Donoghue , Mauro Carvalho Chehab , Hans Verkuil Cc: Bryan O'Donoghue , linux-media@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Dikshita Agarwal , Dan Carpenter X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1771225674; l=1867; i=dikshita.agarwal@oss.qualcomm.com; s=20240917; h=from:subject:message-id; bh=LoHMRhwpy4wi9q82FqzTo9evwLCImd3dyKPb99tN/Yg=; b=3FOsbON/Coq283e9aOPoX9tQlaJadDzMczfE8St8JI92y3ZuAzdj6Hx0WXGQvolOSw8gZOf8w ov9JUvmYPRcCD/om+8BBCZfI6Nd7ZQuU7Ov4nOgSFAatKtxytDFo2Qt X-Developer-Key: i=dikshita.agarwal@oss.qualcomm.com; a=ed25519; pk=EEvKY6Ar1OI5SWf44FJ1Ebo1KuQEVbbf5UNPO+UHVhM= X-Authority-Analysis: v=2.4 cv=ZJraWH7b c=1 sm=1 tr=0 ts=6992c250 cx=c_pps a=vVfyC5vLCtgYJKYeQD43oA==:117 a=ZePRamnt/+rB5gQjfz0u9A==:17 a=IkcTkHD0fZMA:10 a=HzLeVaNsDn8A:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=Mpw57Om8IfrbqaoTuvik:22 a=GgsMoib0sEa3-_RKJdDe:22 a=VwQbUJbxAAAA:8 a=yPCof4ZbAAAA:8 a=EUspDBNiAAAA:8 a=xD9hxEe0D-iu6yI6bpYA:9 a=QEXdDO2ut3YA:10 a=rl5im9kqc5Lf4LNbBjHf:22 X-Proofpoint-ORIG-GUID: 4QSrr6vQkfHztkkTY9YvIkPH4VUC2gjb X-Proofpoint-GUID: 4QSrr6vQkfHztkkTY9YvIkPH4VUC2gjb X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjE2MDA1OCBTYWx0ZWRfX4kelzGfq+cGm A5v0MIyCgAS7E9LsDfsOuqu8ONuQIwHuYmNPKB/AFe6GA8fNRCjKAsO0ESPPUsirudKvNm4ak0M MxFImmBB+ul81i0Fnh7DQGlW1lD1d3EI50WmoLSshPNemsyezITsOFaBYpn4t8h/f9fCY9ntDg/ cul2MDp/VIi4zljYBaJxz2Y0quW3E7c6gTLGlrUPRJpP/BY0g3kQFTCFqr326p/7fpEm2Cdu5gN uFJ0hKBvvZvQD2jyY+VacXADn3zsW1jRzO4sirWnFErls5vShJQpEnlZifP9aB8lo3RCTWXoWhT VdW3NY0UQZRFsFHTE0Tlr3MT7SRr1FUyr9Xr3OZkgILPBIWTKSc7TRWw+N1Fk9zV5OnXSHKqXXq /JFgsnrjyDgrlHdZUHprI1BXKrbJUAo69fhN17xxIX5beInq6j/eO4GW3fMrqaoa9fuAAgNlOt0 836kg1oTH1hC3mWE6Dw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-16_03,2026-02-13_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 lowpriorityscore=0 clxscore=1015 impostorscore=0 bulkscore=0 spamscore=0 suspectscore=0 phishscore=0 priorityscore=1501 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2601150000 definitions=main-2602160058 The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free. Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing. Fixes: 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW = releases") Cc: stable@vger.kernel.org Reported-by: Dan Carpenter Closes: https://lore.kernel.org/lkml/aYXvKAX3Pg3sL37P@stanley.mountain/#r Signed-off-by: Dikshita Agarwal Reviewed-by: Vikash Garodia --- drivers/media/platform/qcom/iris/iris_buffer.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/qcom/iris/iris_buffer.c b/drivers/media= /platform/qcom/iris/iris_buffer.c index f1f003a787bf22db6f048c9e682ba8ed2f39bc21..fd30ec8e33653bd21d3c4d1057f= 4f1eea938228d 100644 --- a/drivers/media/platform/qcom/iris/iris_buffer.c +++ b/drivers/media/platform/qcom/iris/iris_buffer.c @@ -582,10 +582,12 @@ static int iris_release_internal_buffers(struct iris_= inst *inst, continue; if (!(buffer->attr & BUF_ATTR_QUEUED)) continue; + buffer->attr |=3D BUF_ATTR_PENDING_RELEASE; ret =3D hfi_ops->session_release_buf(inst, buffer); - if (ret) + if (ret) { + buffer->attr &=3D ~BUF_ATTR_PENDING_RELEASE; return ret; - buffer->attr |=3D BUF_ATTR_PENDING_RELEASE; + } } =20 return 0; --- base-commit: 205697a4aaf20ee56705d7b4771f4081f594e7f7 change-id: 20260213-iris-smatch-fix-68f6a90f9c9e Best regards, --=20 Dikshita Agarwal