Hi Myungho,
On 2018-11-12 01:49, Myungho Jung wrote:
> The mutex that is held from vb2_fop_read() can be unlocked while waiting
> for a buffer if the queue is streaming and blocking. Meanwhile, fileio
> can be released. So, it should return an error if the fileio address is
> changed.
>
> Signed-off-by: Myungho Jung <mhjungk@xxxxxxxxx>
> Reported-by: syzbot+4180ff9ca6810b06c1e9@xxxxxxxxxxxxxxxxxxxxxxxxx
Acked-by: Marek Szyprowski <m.szyprowski@xxxxxxxxxxx>
Thanks for analyzing the code and fixing this issue!
> ---
> drivers/media/common/videobuf2/videobuf2-core.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c
> index 975ff5669f72..bff94752eb27 100644
> --- a/drivers/media/common/videobuf2/videobuf2-core.c
> +++ b/drivers/media/common/videobuf2/videobuf2-core.c
> @@ -2564,6 +2564,10 @@ static size_t __vb2_perform_fileio(struct vb2_queue *q, char __user *data, size_
> dprintk(5, "vb2_dqbuf result: %d\n", ret);
> if (ret)
> return ret;
> + if (fileio != q->fileio) {
> + dprintk(3, "fileio deallocated\n");
> + return -EFAULT;
> + }
> fileio->dq_count += 1;
>
> fileio->cur_index = index;
Best regards
--
Marek Szyprowski, PhD
Samsung R&D Institute Poland
