In dynamic bufmode we do not manage the buffers in the registeredbufs list, so do not add them there when they are initialized. Adding them there was causing a use after free of the list_head struct in the buffer when new buffers were allocated after existing buffers were freed. Signed-off-by: Jeffrey Kardatzke <jkardatzke@xxxxxxxxxx> --- drivers/media/platform/qcom/venus/helpers.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/qcom/venus/helpers.c b/drivers/media/platform/qcom/venus/helpers.c index bcc603804041..688a3593b49b 100644 --- a/drivers/media/platform/qcom/venus/helpers.c +++ b/drivers/media/platform/qcom/venus/helpers.c @@ -1054,8 +1054,10 @@ int venus_helper_vb2_buf_init(struct vb2_buffer *vb) buf->size = vb2_plane_size(vb, 0); buf->dma_addr = sg_dma_address(sgt->sgl); - if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) + if (vb->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE && + !is_dynamic_bufmode(inst)) { list_add_tail(&buf->reg_list, &inst->registeredbufs); + } return 0; } -- 2.25.1.481.gfbce0eb801-goog