From nobody Thu Apr 16 12:30:52 2026 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2BFFD43E4AE for ; Fri, 27 Feb 2026 17:33:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772213636; cv=none; b=N6Jgen/CWTgWpytKlh5cHSogMZ3+/9GYv8EWCPmTFZ8m1WNHOLxlHcmRA6Bi0T8f3xZCV8CtBWm+QQLx8i1/PQm3+GS9JNPLSiyVx7FZN0sAw3Ulnvtu1/AUqqNs7442L6Ffw70ZvyjrJ6F0skSadEMCM52zdLJOU2wuvPKjA4A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772213636; c=relaxed/simple; bh=VmTmjGCN/lcGm+HdCAtCWpH0HxtgLlcDvVY7nIg4XiI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=o7ECRONuIm/xcFVLHBUh2YVstoYnmURtLm59x84RWPtZcGmH/HTrEonRjD1Eli9ycCfOc50hcpFMjuInqujUzWwdoe5yMY6vOxKXawrsbzQEPWomCF16tGGEbAbUuDHAaVvyuqlKq2FtfFJ/4u4X8sVruwOcPc3iQf//FRm7Fcs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=WvyyA0xd; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=Bd4/LNQQ; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="WvyyA0xd"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="Bd4/LNQQ" Received: from pps.filterd (m0279865.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 61RH0Fvn702130 for ; Fri, 27 Feb 2026 17:33:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=qcppdkim1; bh=lW0+TWgoljFW/y3/+h2gH2 3nIF20VK5qAqHwp2WcaGU=; b=WvyyA0xdJaQhB9/xWBTJStAYo808BEYExuxB7I pOn33+NjYEYnzQneog+XXPIZ88naPKWfVW9DZ3nxtNT/h68hlqM1vq0F2UbJag3J FY3XXxsZH9lih1/VbGBxxKx1w742YeHdhsFFn481/Q0ufkEjUXITJwJD1QPXcTco T32I6kbfKJh4dXNy3BWrOnPnd1YqekjI3ZVAqrZ8cCX5R6/lTPpGxBx8n8XBeNIV pcod4icfQQnlv9OQRhJMDVcFZ5e8pIva2B7dW+GNcL5UB4VRqc6qAt5SShK1Oc7u VSC7aqXNzIJpvjXFrWGRUVRJj+S6guZ+ZHBwJCckMW+Onh0w== Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com [209.85.214.199]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4ck8x89fwd-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Fri, 27 Feb 2026 17:33:53 +0000 (GMT) Received: by mail-pl1-f199.google.com with SMTP id d9443c01a7336-2aaeafeadbcso24616305ad.1 for ; Fri, 27 Feb 2026 09:33:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1772213633; x=1772818433; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=lW0+TWgoljFW/y3/+h2gH23nIF20VK5qAqHwp2WcaGU=; b=Bd4/LNQQmyek1+IoWzbtRwmW9BqZ83RMxRA224S0xWfVQqQSeWhs+XaeCmOBYgrAPJ kl2VZT9n8qrubXCw1Ob07Dcs/Ewe/6YAeE429kwlEuGXpC/5l+hwe9ZCFSatotKmHf/6 NfVELcXrs495Xpk0yqH7ocxw56VoLCCNuzMvFre6lB82jFy/YOmcYZ5WNsiGcVrf+DuA nTFNFccwidlm+q6NW41Gqt+9k6rPFo61XIuh9+7J9UqyJhWcQY7TLcgD2aawtSluP7Dp Pf8R7wZT4AQ1Eyqkf6tNRlP0NHLOVk1nsyJK8lCYovrVFXHDh85G7HhcaZXLRanSQlyE bwgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772213633; x=1772818433; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=lW0+TWgoljFW/y3/+h2gH23nIF20VK5qAqHwp2WcaGU=; b=Gr8NP9cVRherHWETSmgw8/1BBEkhPi0hJx2Qy/1UV+sPuDtg5Sw8zRIm2upqxz8k1O r/GJf/Bg2JN+N+m58uXoVckjftKmHu+H0feMQgMTNMXDFGEilNN3zaLmTsq29MV/HLDN c18+UcJtQmdXMuygN3mLGuikRIn94zgsP96667mXz8/b2b3nPIW9hiEkQA890zvr/ywp QjiB0a5v5wAjCChwuBZZEMEPCi4LALzjFsuhXwBEA4FPrjrtr1ob3OrN8HeFnk+sd+XY ge0N+Y8ChWTPcYOb1+xXVu+XUZ4f7X9m3gwjf+SSf5Lb7jwEaQpJSGelWDX3VYdaszOh tGog== X-Forwarded-Encrypted: i=1; AJvYcCWTnKld2iuBgU4KpScvxIcNam43Oj7KSmY3Ekfouv534BdRd0uZ8MIDYDxhJEXJAZZBRwqYkcCeZjLy3jI=@vger.kernel.org X-Gm-Message-State: AOJu0Ywj73+bVpcROIpS0YYANQO3Pqcnsz6uvZlKhnVZ16zBhsQh3aOH tenb9z+sk7Rzl855GABBSI4cbsL6ZVicS9hyleJtog+FmsDJAEFwVxXSjlOgyVjuwKDHdpbvNKE Zzjn+uKkbm/c3PIeMqPNXGZSSn58NeCYv/M5TGbnIT0IJOMCiaijsamToOBwA58adJOg= X-Gm-Gg: ATEYQzzQsSdoI5/Ez5NROs7MZD6bF9P2Eco568cWBO+BG6DJUaFXbCPpkpCV11Tj+yd 8btIzZuw4uyqk5wD47zhlXQnQiDioYI3qRIPm/01lk4z2Me3kwPkbvTPuSrT9n/p5LwojrauaT5 hd0W+rZJHALRyw/8JJ26Oc03Oc0DURfHeWhjVc2V20OI5DoisbyMcEF1lLvXA/JtKOK1thTQrhX Z5fuKxi5KFHW7s33bJC1xKAw/Ec3gZKhtTnx+KcByRJJNPFk5FfdRcTtFLk+nCCemkBRRr0hrpG d1LMNMMJHGw38m3HfuvHn/k2Uxm6yv3+jjILj2wkBQTXRWrgny1Gp7c3XUvwvpJwD41pgEb8abw Q1NjGmiWo51GqLKN3nHM/pPq9GAvz3ak86pQQ7Pp1b///115MakatVks= X-Received: by 2002:a17:903:b46:b0:2aa:cfee:a476 with SMTP id d9443c01a7336-2ae2e4da143mr32264835ad.48.1772213632581; Fri, 27 Feb 2026 09:33:52 -0800 (PST) X-Received: by 2002:a17:903:b46:b0:2aa:cfee:a476 with SMTP id d9443c01a7336-2ae2e4da143mr32264485ad.48.1772213632002; Fri, 27 Feb 2026 09:33:52 -0800 (PST) Received: from hu-bvisredd-hyd.qualcomm.com ([202.46.22.19]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2adfb5b2309sm61974475ad.19.2026.02.27.09.33.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Feb 2026 09:33:51 -0800 (PST) From: Vishnu Reddy Date: Fri, 27 Feb 2026 23:03:00 +0530 Subject: [PATCH] media: iris: fix use-after-free of fmt_src during MBPF check Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260227-fix-use-after-free-of-fmt_src-during-mbpf-v1-1-307cdafffa2a@oss.qualcomm.com> X-B4-Tracking: v=1; b=H4sIAEvVoWkC/yWNywrCMBBFf6Vk7UCamib6K1Ikj5maRR9OUhFK/ 91gl+fCPWcXGTlhFvdmF4yflNMyV2gvjQgvN48IKVYWSqpeKtUDpS9sGcFRQQZiRFgIaCrPzAH ixmkeYfIrgfNBGdKmu0opqm9lrOd/6zGczPjearKco/CuisMyTancmz6i6si2TqO0Hi150mijw RuhD0Y57TXVgBiO4wduA6vKxwAAAA== X-Change-ID: 20260226-fix-use-after-free-of-fmt_src-during-mbpf-abc27f573400 To: Vikash Garodia , Dikshita Agarwal , Abhinav Kumar , Bryan O'Donoghue , Mauro Carvalho Chehab Cc: linux-media@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, Vishnu Reddy X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1772213628; l=4535; i=busanna.reddy@oss.qualcomm.com; s=20260216; h=from:subject:message-id; bh=VmTmjGCN/lcGm+HdCAtCWpH0HxtgLlcDvVY7nIg4XiI=; b=X53wKqc1CWuLtmrkjaIQTbNgNb5W36m17vnVI47MpWpXjPWIJZT19m6wRwc3jom+YmIBIeXtx BiCAZzBwWWaCAqVOIM3bpn4fwfYvOVbbOGesW2/t7ov2iEQieUchGp1 X-Developer-Key: i=busanna.reddy@oss.qualcomm.com; a=ed25519; pk=9vmy9HahBKVAa+GBFj1yHVbz0ey/ucIs1hrlfx+qtok= X-Authority-Analysis: v=2.4 cv=WZwBqkhX c=1 sm=1 tr=0 ts=69a1d581 cx=c_pps a=JL+w9abYAAE89/QcEU+0QA==:117 a=fChuTYTh2wq5r3m49p7fHw==:17 a=IkcTkHD0fZMA:10 a=HzLeVaNsDn8A:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=Um2Pa8k9VHT-vaBCBUpS:22 a=EUspDBNiAAAA:8 a=ZdNiY0Q2JvzWvSwJNXMA:9 a=QEXdDO2ut3YA:10 a=324X-CrmTo6CU4MGRt3R:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjI3MDE1NSBTYWx0ZWRfX3H+vrEvpMlkd x/0KJlNx4SkP+SKBVpugdcAtbPBr+FCbwXEBLzUk9XbQM9iJvYLV6VboAc7DtVmMXdZGMxxZdXP On7mLKbiwjweTgABDUop5K/a7PyjyNouigZwbi4A7/necZDsgvAil+3Dsi7yT4xaSgU2Fox1AzT Zexo79tW9YyIWiE7jAQMnni8vXsCx1gp7RXW3nvjldrKuu58hnPLltqI7vHfcTx+eWAt9mnJ/HC 8sSE9SsFHqFkMPLS2oHI+ko/l7fDVOtoEWl4cDX7H/ZIOx+qU8QlnSLBSlLlgc7jWgEzx9RoD6x 23zegEixMdI1n/bNtTfrJHd04g9/+jcs8EUOM4KVufKzcnijVIcljwLAu9dFnYNUCLl+Pvq+vwe jP0VojNK5yKtkjCCq5UPfEbi2TfBDRkUA9kbi56CB/JABpUTGgslBvEVANbsra3Ixf558Zb/wlz HILMQx/rEc0CWlYRQcQ== X-Proofpoint-ORIG-GUID: IK39R8ylPgGuabfH8zze4Aibjur7U7RQ X-Proofpoint-GUID: IK39R8ylPgGuabfH8zze4Aibjur7U7RQ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-27_03,2026-02-27_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 lowpriorityscore=0 phishscore=0 priorityscore=1501 bulkscore=0 clxscore=1015 malwarescore=0 adultscore=0 impostorscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2602270155 A race condition was observed during concurrency testing. the core MBPF check walks the list of active instances and reads fields such as fmt_src height and width. At the same time, iris_close() could free these format structures before the instance was removed from core list. this creates a use-after-free window where the MBPF checker access the freed memory and read invalid values. To fix this, the freeing of fmt_src and fmt_dst is moved to the end of iris_close(), after the instance has been removed from the core list and teardown is complete. This avoids accessing dangling pointers during the MBPF check. Signed-off-by: Vishnu Reddy --- drivers/media/platform/qcom/iris/iris_vdec.c | 6 ------ drivers/media/platform/qcom/iris/iris_vdec.h | 1 - drivers/media/platform/qcom/iris/iris_venc.c | 6 ------ drivers/media/platform/qcom/iris/iris_venc.h | 1 - drivers/media/platform/qcom/iris/iris_vidc.c | 6 ++---- 5 files changed, 2 insertions(+), 18 deletions(-) diff --git a/drivers/media/platform/qcom/iris/iris_vdec.c b/drivers/media/p= latform/qcom/iris/iris_vdec.c index 719217399a30..99d544e2af4f 100644 --- a/drivers/media/platform/qcom/iris/iris_vdec.c +++ b/drivers/media/platform/qcom/iris/iris_vdec.c @@ -61,12 +61,6 @@ int iris_vdec_inst_init(struct iris_inst *inst) return iris_ctrls_init(inst); } =20 -void iris_vdec_inst_deinit(struct iris_inst *inst) -{ - kfree(inst->fmt_dst); - kfree(inst->fmt_src); -} - static const struct iris_fmt iris_vdec_formats_cap[] =3D { [IRIS_FMT_NV12] =3D { .pixfmt =3D V4L2_PIX_FMT_NV12, diff --git a/drivers/media/platform/qcom/iris/iris_vdec.h b/drivers/media/p= latform/qcom/iris/iris_vdec.h index ec1ce55d1375..5123d2a340e1 100644 --- a/drivers/media/platform/qcom/iris/iris_vdec.h +++ b/drivers/media/platform/qcom/iris/iris_vdec.h @@ -9,7 +9,6 @@ struct iris_inst; =20 int iris_vdec_inst_init(struct iris_inst *inst); -void iris_vdec_inst_deinit(struct iris_inst *inst); int iris_vdec_enum_fmt(struct iris_inst *inst, struct v4l2_fmtdesc *f); int iris_vdec_try_fmt(struct iris_inst *inst, struct v4l2_format *f); int iris_vdec_s_fmt(struct iris_inst *inst, struct v4l2_format *f); diff --git a/drivers/media/platform/qcom/iris/iris_venc.c b/drivers/media/p= latform/qcom/iris/iris_venc.c index aa27b22704eb..4d886769d958 100644 --- a/drivers/media/platform/qcom/iris/iris_venc.c +++ b/drivers/media/platform/qcom/iris/iris_venc.c @@ -79,12 +79,6 @@ int iris_venc_inst_init(struct iris_inst *inst) return iris_ctrls_init(inst); } =20 -void iris_venc_inst_deinit(struct iris_inst *inst) -{ - kfree(inst->fmt_dst); - kfree(inst->fmt_src); -} - static const struct iris_fmt iris_venc_formats_cap[] =3D { [IRIS_FMT_H264] =3D { .pixfmt =3D V4L2_PIX_FMT_H264, diff --git a/drivers/media/platform/qcom/iris/iris_venc.h b/drivers/media/p= latform/qcom/iris/iris_venc.h index c4db7433da53..00c1716b2747 100644 --- a/drivers/media/platform/qcom/iris/iris_venc.h +++ b/drivers/media/platform/qcom/iris/iris_venc.h @@ -9,7 +9,6 @@ struct iris_inst; =20 int iris_venc_inst_init(struct iris_inst *inst); -void iris_venc_inst_deinit(struct iris_inst *inst); int iris_venc_enum_fmt(struct iris_inst *inst, struct v4l2_fmtdesc *f); int iris_venc_try_fmt(struct iris_inst *inst, struct v4l2_format *f); int iris_venc_s_fmt(struct iris_inst *inst, struct v4l2_format *f); diff --git a/drivers/media/platform/qcom/iris/iris_vidc.c b/drivers/media/p= latform/qcom/iris/iris_vidc.c index bd38d84c9cc7..5eb1786b0737 100644 --- a/drivers/media/platform/qcom/iris/iris_vidc.c +++ b/drivers/media/platform/qcom/iris/iris_vidc.c @@ -289,10 +289,6 @@ int iris_close(struct file *filp) v4l2_m2m_ctx_release(inst->m2m_ctx); v4l2_m2m_release(inst->m2m_dev); mutex_lock(&inst->lock); - if (inst->domain =3D=3D DECODER) - iris_vdec_inst_deinit(inst); - else if (inst->domain =3D=3D ENCODER) - iris_venc_inst_deinit(inst); iris_session_close(inst); iris_inst_change_state(inst, IRIS_INST_DEINIT); iris_v4l2_fh_deinit(inst, filp); @@ -304,6 +300,8 @@ int iris_close(struct file *filp) mutex_unlock(&inst->lock); mutex_destroy(&inst->ctx_q_lock); mutex_destroy(&inst->lock); + kfree(inst->fmt_src); + kfree(inst->fmt_dst); kfree(inst); =20 return 0; --- base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f change-id: 20260226-fix-use-after-free-of-fmt_src-during-mbpf-abc27f573400 Best regards, --=20 Vishnu Reddy