From nobody Thu Apr  9 21:55:28 2026
Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com
 [205.220.168.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6AC9D3A4F2F
	for <linux-kernel@vger.kernel.org>; Thu,  5 Mar 2026 13:28:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.168.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772717333; cv=none;
 b=POPNF9E1KwPcvPGV1MOJEGS79ZGXLKTqFvgHqdXmQnZ6JE3mUFnwvn1vFIlb+YbRtcO0UZgi1DADM4n9ta/+eRc84t6gCEHcREUT5mdEUw9Hn/alPa6EBI3v3zPRSA5/0VWzV3XcsE0q0KHEiXaHqRYR+fqR8SGRSWhUW7KUys4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772717333; c=relaxed/simple;
	bh=l15mSyjuck4U9FDRKOGPmVbWICnvQJSekqWWPer8y/8=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc;
 b=J6MEnYKVOnBHoQjtagTRSyaQfp9euaz0hwQhAdvfG/0SVPvrvT1Uv/rTYmFngOm0Euss1LeMUOZ7ixJMA1nCN5vPfN7lhec8I0FZWzXSUh+bR5u2UVAVO3htLpX4xaWwJI+lXqsLJEYPEqWSHUwx5rby9LRtG418ydb9XVTEsqY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com;
 spf=pass smtp.mailfrom=oss.qualcomm.com;
 dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b=Nen8fdgN;
 dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b=BpGvxyPh; arc=none smtp.client-ip=205.220.168.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b="Nen8fdgN";
	dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b="BpGvxyPh"
Received: from pps.filterd (m0279867.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id
 625AFvnf862341
	for <linux-kernel@vger.kernel.org>; Thu, 5 Mar 2026 13:28:49 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h=
	cc:content-transfer-encoding:content-type:date:from:message-id
	:mime-version:subject:to; s=qcppdkim1; bh=BQeIcd/nOZ7ZX1VNZs/yyO
	p0K92hK4/8vWea26Lu1JM=; b=Nen8fdgNESsiOUQyVLcz3OVIbih3z75sEgReVI
	lD5Vbuy0tzGFgHPLXvB6BgmN6e7bQ+63+vrPAyFQtOAqyh0k7zr3UpNliIL2CJ69
	cJ7U8fj22Xqagyv4wXLQGSsULSuXLKSvYNujcgTwNUaWJOFe1+RwRO5fcIbe4kho
	0Mz3m+gU4KxiaU7d+yuFWysfV2yMHjGPn2o1GUPiu9MvcRMCkJQ/XpQL9lEHjlP3
	aoUYCMgzgNQovm5RxKbFaXpmz8pvGmIwfbUtv3kxg4oL5jAkvbwWr44tj8L9pvUN
	70W2SJcZ5AbeQVIKigS4K4J+JkKkpOlu7l6+1CbqIVtKHh7Q==
Received: from mail-pl1-f200.google.com (mail-pl1-f200.google.com
 [209.85.214.200])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4cps0wbdc2-1
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT)
	for <linux-kernel@vger.kernel.org>; Thu, 05 Mar 2026 13:28:49 +0000 (GMT)
Received: by mail-pl1-f200.google.com with SMTP id
 d9443c01a7336-2ae669a8ff1so108526885ad.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 05 Mar 2026 05:28:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=oss.qualcomm.com; s=google; t=1772717329; x=1773322129;
 darn=vger.kernel.org;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:from:to:cc:subject:date:message-id:reply-to;
        bh=BQeIcd/nOZ7ZX1VNZs/yyOp0K92hK4/8vWea26Lu1JM=;
        b=BpGvxyPhDKqWQGXBWFHdeehqtYX76tfk3X8xKarLhk0VyJidbzxV3iUL/JsEcocT6n
         pA78pDM8HZZJUhlCHaCbojEK9gIjjPh2fPbUb6LrQjsfRLZRMmwS6PqReM5izWK64KOF
         8lWT0mjGDT5Cm27G6Kg6QDmPRRNK2AuY5UKvWZpkcmsGqjpGu449bALAWySZ3qnQnGjK
         LsMap34JnrN8hgCMUKTlBjWFDg4ZkFukPDb/d+Q20LIqgRhFvts/yR7tijkCdaRwhIHI
         LesBKEtT0UYetZj0RWR4/MrwR010p8CcD1yDeWLxqtADL8skbUIWSrSmebyX2ckJN6g8
         vHhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772717329; x=1773322129;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=BQeIcd/nOZ7ZX1VNZs/yyOp0K92hK4/8vWea26Lu1JM=;
        b=PfenqRcKeasaCeKP1mAqhV4RBWUEkwEW5281mpnk0ut6S2RVB/1kzE8V4zuSJgFAr6
         ksfLr5Me8DSI83S6aY0JpRTo5GmBBROZKdq18DKTIr3yM+3eAvkf4PeQk6iwtOfeWrUG
         vOD0nCBmgA8quTKNcABiUkwTeGgIuVhy25YiAde3RurHjEgK3kJHcJOp/5YdME9v8s+6
         B8K65BmItLng+X8q/uyiop5YX84f+WFQWCwS7K2NyaI6+RLzJUxHH9fNdxMsLboNlh9S
         Yl9edjYkpQk2g8KNd+L4Ii5XqbvM+UszHiVlhhSBmNy+mlAvWcMaDGR3se53E6psRDQs
         kGgw==
X-Forwarded-Encrypted: i=1;
 AJvYcCXcnNeBdl2HfRePzpUFBU3zZ/zAtWThH5vGnln/cn4YImITje3HhXBdxsM7/wyJzE0zznHzQ01YQnFPEoQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YyCKFYg5siLFUvvtehyEusU9G0hW9I+gWJ48FmehF4d+4yeFEht
	ri87XqZxq+9jlqLOo8LMdH418Lhy588eRBj+diKvq3jF076h5OaygSgr3O4lnZ3spJiT/Ou9qFX
	WrBkTetGU2LG0RghYG6pncFQ9OX9dWBJ7r9SOQT+cYVWdC5rSmGz5Hr/+2d6erej0jT4=
X-Gm-Gg: ATEYQzzOgTh6Z+P7treApi2BjPjnj7jctdRYtUvrsCdWFtL0fNi9acbZQdbSLCeC3jl
	4keSiCoF4myZDTy/o6ssDvavCb4bc1GuJ8PIrjvcC3IZFB5YYlLT7vjB4KjIz1Nj8G11NGRGPZP
	vt/BrsKeXzZ+Xw8YLB1V2FfEeoSEm45t8+B4xvXtRBgB31PkXcYZKelppNv0P/1DL3gxCSMQU4U
	wa5Wz3XfVWmwBJFjCcuSOd8VBe+7me6o7FgC+gQacLDPUWg6QzIKLlsOIgrCk1qviE1ZMsQd4gU
	u0tVpFQcA1VaELDgU+kkoAC72r3rcQ7pjxN1gKTC+PVRcgbO1nzF+8QcWtGxokLf5n3iY9YT5+Z
	gOrSlmaYDFWoeEeGSiBClXR5j/98qUKEDUn69caSQCjpq9h0JA9GTiSk=
X-Received: by 2002:a17:903:15c3:b0:2ae:5a21:f7ee with SMTP id
 d9443c01a7336-2ae6a8bfe34mr59082205ad.0.1772717328572;
        Thu, 05 Mar 2026 05:28:48 -0800 (PST)
X-Received: by 2002:a17:903:15c3:b0:2ae:5a21:f7ee with SMTP id
 d9443c01a7336-2ae6a8bfe34mr59081865ad.0.1772717327994;
        Thu, 05 Mar 2026 05:28:47 -0800 (PST)
Received: from hu-bvisredd-hyd.qualcomm.com ([202.46.22.19])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2adfb5c0f2fsm330533105ad.20.2026.03.05.05.28.43
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Mar 2026 05:28:47 -0800 (PST)
From: Vishnu Reddy <busanna.reddy@oss.qualcomm.com>
Date: Thu, 05 Mar 2026 18:58:31 +0530
Subject: [PATCH v3] media: iris: fix use-after-free of fmt_src during MBPF
 check
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: 
 <20260305-fix-use-after-free-of-fmt_src-during-mbpf-v3-1-20cd61ca488b@oss.qualcomm.com>
X-B4-Tracking: v=1; b=H4sIAP6EqWkC/5WPy2rDMBBFf8Vo3Qny2LLcrPIfpQQ9ZhJBbSWSb
 VKC/72KU+imm2wG7sCcc+cuMqVAWeyru0i0hBziWELzVgl3NuOJIPiSBUrsJGIHHG4wZwLDEyX
 gRASRgYfpmJMDP6cwnmCwFwZjHWpWummlFIV3SVSON9fH5zMnus5FOT2XwpoCdnEYwrSvOk/Yc
 F8bRbK31LNlRb3X9M5knUajrOIiEA/WOeQppu/tjaXeYL+N9QuNlxpqaKR23jCzQXOIOe+us/l
 6lNqVsckW/BM0sn1FgEVgW6d7X1vWXfuPYF3XH7fDxMeWAQAA
X-Change-ID: 20260226-fix-use-after-free-of-fmt_src-during-mbpf-abc27f573400
To: Vikash Garodia <vikash.garodia@oss.qualcomm.com>,
        Dikshita Agarwal <dikshita.agarwal@oss.qualcomm.com>,
        Abhinav Kumar <abhinav.kumar@linux.dev>,
        Bryan O'Donoghue <bod@kernel.org>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        Hans Verkuil <hverkuil+cisco@kernel.org>
Cc: linux-media@vger.kernel.org, linux-arm-msm@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        Bryan O'Donoghue <bryan.odonoghue@linaro.org>, stable@vger.kernel.org,
        Vishnu Reddy <busanna.reddy@oss.qualcomm.com>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1772717323; l=5820;
 i=busanna.reddy@oss.qualcomm.com; s=20260216; h=from:subject:message-id;
 bh=l15mSyjuck4U9FDRKOGPmVbWICnvQJSekqWWPer8y/8=;
 b=bX+vvijA0pCBxWAyG7KXMzC2RGq1j5Vi587NVFVDveniogeJm+LZJh0mQ7u6+QC/JIYms4Soe
 jDzBNXJing6BxM7CrijmrObvtj7DUmFg7GHuoDRNHpWVPvUqyl6auLY
X-Developer-Key: i=busanna.reddy@oss.qualcomm.com; a=ed25519;
 pk=9vmy9HahBKVAa+GBFj1yHVbz0ey/ucIs1hrlfx+qtok=
X-Proofpoint-GUID: YGq5vMR3xWqEQaEuuJFS_kcgv6jvRs9I
X-Authority-Analysis: v=2.4 cv=BNK+bVQG c=1 sm=1 tr=0 ts=69a98511 cx=c_pps
 a=IZJwPbhc+fLeJZngyXXI0A==:117 a=fChuTYTh2wq5r3m49p7fHw==:17
 a=IkcTkHD0fZMA:10 a=Yq5XynenixoA:10 a=s4-Qcg_JpJYA:10
 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=eoimf2acIAo5FJnRuUoq:22
 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=vOiXTFtDm48uhe5vJ3sA:9 a=QEXdDO2ut3YA:10
 a=uG9DUKGECoFWVXl0Dc02:22
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDEwNiBTYWx0ZWRfX9k3LXqFRrtso
 E9WuyIFdXC/gIqcmJkPYaDMHnMSa1ktpy/Za4SURUwRkTFutLk5HbSo0jLQKP+3ShsuydCnm3o6
 ri8bBGMRBrb2YBIB/jEchOFjJAKW6U/jRAp1Z6XLUtFN0azXLSnxUa2YUvpx15rslSv06QpH2yI
 BjPKtyX6wjccLyP7AT1Vd/sK+aOkTnXoUKCOwA8iv/OIiaBr2u4nyXShGCpb9qulXJd5Ckp147d
 qFn28g5DDH+8KJej4NcYx67IdWKcrbnCI5sNAakXe5FYydu5/1MzofriRXUmbDmZ4GeypIdrbXb
 Bs5A5Uf5WReVh3m6To0t823ha1WlS3H552txyZdpgTGUmowsn4QIUNsOagBTk3qhQTC2Qty+Enc
 iM6fq+WJMqXCToxA7Izt5McQih7KILhV1OItwyGSMzJI1yAPA+eJZeB5J01F7dZhY99uo9fX7+g
 nGbjpGil+DJQcMY8E8A==
X-Proofpoint-ORIG-GUID: YGq5vMR3xWqEQaEuuJFS_kcgv6jvRs9I
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49
 definitions=2026-03-05_04,2026-03-04_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 phishscore=0 malwarescore=0 spamscore=0 clxscore=1015 impostorscore=0
 adultscore=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 priorityscore=1501
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050106

During concurrency testing, multiple instances can run in parallel, and
each instance uses its own inst->lock while the core->lock protects the
list of active instances. The race happens because these locks cover
different scopes, inst->lock protects only the internals of a single
instance, while the Macro Blocks Per Frame (MBPF) checker walks the
core list under core->lock and reads fields like fmt_src->width and
fmt_src->height. At the same time, iris_close() may free fmt_src and
fmt_dst under inst->lock while the instance is still present in the core
list. This allows a situation where the MBPF checker, still iterating
through the core list, reaches an instance whose fmt_src was already
freed by another thread and ends up dereferencing a dangling pointer,
resulting in a use-after-free. This happens because the MBPF checker
assumes that any instance in the core list is fully valid, but the
freeing of fmt_src and fmt_dst without removing the instance from the
core list is not correct.

The correct ordering is to defer freeing fmt_src and fmt_dst until after
the instance has been removed from the core list and all teardown under
the core lock has completed, ensuring that no dangling pointers are ever
exposed during MBPF checks.

Fixes: 5ad964ad5656 ("media: iris: Initialize and deinitialize encoder inst=
ance structure")
Cc: stable@vger.kernel.org
Reviewed-by: Vikash Garodia <vikash.garodia@oss.qualcomm.com>
Signed-off-by: Vishnu Reddy <busanna.reddy@oss.qualcomm.com>
Reviewed-by: Dikshita Agarwal <dikshita.agarwal@oss.qualcomm.com>
---
Changes in v3:
- Removed global word from the commit description
- Added MBPF full form in the commit description
- Link to v2: https://lore.kernel.org/r/20260304-fix-use-after-free-of-fmt_=
src-during-mbpf-v2-1-b4c78d1bf764@oss.qualcomm.com

Changes in v2:
- Updated the commit description
- Added Fixes tag and Cc stable
- Link to v1: https://lore.kernel.org/r/20260227-fix-use-after-free-of-fmt_=
src-during-mbpf-v1-1-307cdafffa2a@oss.qualcomm.com
---
 drivers/media/platform/qcom/iris/iris_vdec.c | 6 ------
 drivers/media/platform/qcom/iris/iris_vdec.h | 1 -
 drivers/media/platform/qcom/iris/iris_venc.c | 6 ------
 drivers/media/platform/qcom/iris/iris_venc.h | 1 -
 drivers/media/platform/qcom/iris/iris_vidc.c | 6 ++----
 5 files changed, 2 insertions(+), 18 deletions(-)

diff --git a/drivers/media/platform/qcom/iris/iris_vdec.c b/drivers/media/p=
latform/qcom/iris/iris_vdec.c
index 719217399a30..99d544e2af4f 100644
--- a/drivers/media/platform/qcom/iris/iris_vdec.c
+++ b/drivers/media/platform/qcom/iris/iris_vdec.c
@@ -61,12 +61,6 @@ int iris_vdec_inst_init(struct iris_inst *inst)
 	return iris_ctrls_init(inst);
 }
=20
-void iris_vdec_inst_deinit(struct iris_inst *inst)
-{
-	kfree(inst->fmt_dst);
-	kfree(inst->fmt_src);
-}
-
 static const struct iris_fmt iris_vdec_formats_cap[] =3D {
 	[IRIS_FMT_NV12] =3D {
 		.pixfmt =3D V4L2_PIX_FMT_NV12,
diff --git a/drivers/media/platform/qcom/iris/iris_vdec.h b/drivers/media/p=
latform/qcom/iris/iris_vdec.h
index ec1ce55d1375..5123d2a340e1 100644
--- a/drivers/media/platform/qcom/iris/iris_vdec.h
+++ b/drivers/media/platform/qcom/iris/iris_vdec.h
@@ -9,7 +9,6 @@
 struct iris_inst;
=20
 int iris_vdec_inst_init(struct iris_inst *inst);
-void iris_vdec_inst_deinit(struct iris_inst *inst);
 int iris_vdec_enum_fmt(struct iris_inst *inst, struct v4l2_fmtdesc *f);
 int iris_vdec_try_fmt(struct iris_inst *inst, struct v4l2_format *f);
 int iris_vdec_s_fmt(struct iris_inst *inst, struct v4l2_format *f);
diff --git a/drivers/media/platform/qcom/iris/iris_venc.c b/drivers/media/p=
latform/qcom/iris/iris_venc.c
index aa27b22704eb..4d886769d958 100644
--- a/drivers/media/platform/qcom/iris/iris_venc.c
+++ b/drivers/media/platform/qcom/iris/iris_venc.c
@@ -79,12 +79,6 @@ int iris_venc_inst_init(struct iris_inst *inst)
 	return iris_ctrls_init(inst);
 }
=20
-void iris_venc_inst_deinit(struct iris_inst *inst)
-{
-	kfree(inst->fmt_dst);
-	kfree(inst->fmt_src);
-}
-
 static const struct iris_fmt iris_venc_formats_cap[] =3D {
 	[IRIS_FMT_H264] =3D {
 		.pixfmt =3D V4L2_PIX_FMT_H264,
diff --git a/drivers/media/platform/qcom/iris/iris_venc.h b/drivers/media/p=
latform/qcom/iris/iris_venc.h
index c4db7433da53..00c1716b2747 100644
--- a/drivers/media/platform/qcom/iris/iris_venc.h
+++ b/drivers/media/platform/qcom/iris/iris_venc.h
@@ -9,7 +9,6 @@
 struct iris_inst;
=20
 int iris_venc_inst_init(struct iris_inst *inst);
-void iris_venc_inst_deinit(struct iris_inst *inst);
 int iris_venc_enum_fmt(struct iris_inst *inst, struct v4l2_fmtdesc *f);
 int iris_venc_try_fmt(struct iris_inst *inst, struct v4l2_format *f);
 int iris_venc_s_fmt(struct iris_inst *inst, struct v4l2_format *f);
diff --git a/drivers/media/platform/qcom/iris/iris_vidc.c b/drivers/media/p=
latform/qcom/iris/iris_vidc.c
index bd38d84c9cc7..5eb1786b0737 100644
--- a/drivers/media/platform/qcom/iris/iris_vidc.c
+++ b/drivers/media/platform/qcom/iris/iris_vidc.c
@@ -289,10 +289,6 @@ int iris_close(struct file *filp)
 	v4l2_m2m_ctx_release(inst->m2m_ctx);
 	v4l2_m2m_release(inst->m2m_dev);
 	mutex_lock(&inst->lock);
-	if (inst->domain =3D=3D DECODER)
-		iris_vdec_inst_deinit(inst);
-	else if (inst->domain =3D=3D ENCODER)
-		iris_venc_inst_deinit(inst);
 	iris_session_close(inst);
 	iris_inst_change_state(inst, IRIS_INST_DEINIT);
 	iris_v4l2_fh_deinit(inst, filp);
@@ -304,6 +300,8 @@ int iris_close(struct file *filp)
 	mutex_unlock(&inst->lock);
 	mutex_destroy(&inst->ctx_q_lock);
 	mutex_destroy(&inst->lock);
+	kfree(inst->fmt_src);
+	kfree(inst->fmt_dst);
 	kfree(inst);
=20
 	return 0;

---
base-commit: 6de23f81a5e08be8fbf5e8d7e9febc72a5b5f27f
change-id: 20260226-fix-use-after-free-of-fmt_src-during-mbpf-abc27f573400

Best regards,
--=20
Vishnu Reddy <busanna.reddy@oss.qualcomm.com>