media: chips-media: wave5: Release m2m_ctx after Instance Removed from List

Possible use after free if IRQ thread manages to obtain spinlock between
m2m_ctx release and wave5_release function removing stream instance from
list of active instances. The IRQ thread looks for the m2m_ctx which is
freed so null pointer dereference occurs.

Signed-off-by: Brandon Brnich <b-brnich@ti.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Tested-by: Jackson Lee <jackson.lee@chipsnmedia.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>

diff --git a/drivers/media/platform/chips-media/wave5/wave5-helper.c b/drivers/media/platform/chips-media/wave5/wave5-helper.c
index 53a0ac068c2e25299b708b43a1e3694e68b9bdd6..c3d34be833ff0ac8d97a59823127d005d8d1256a 100644 (file)
--- a/drivers/media/platform/chips-media/wave5/wave5-helper.c
+++ b/drivers/media/platform/chips-media/wave5/wave5-helper.c
@@ -68,7 +68,6 @@ int wave5_vpu_release_device(struct file *filp,
        int ret = 0;
        unsigned long flags;
 
-       v4l2_m2m_ctx_release(inst->v4l2_fh.m2m_ctx);
        /*
         * To prevent Null reference exception, the existing irq handler were
         * separated to two modules.
@@ -89,6 +88,9 @@ int wave5_vpu_release_device(struct file *filp,
        list_del_init(&inst->list);
        spin_unlock_irqrestore(&inst->dev->irq_spinlock, flags);
        mutex_unlock(&inst->dev->irq_lock);
+
+       v4l2_m2m_ctx_release(inst->v4l2_fh.m2m_ctx);
+
        if (inst->state != VPU_INST_STATE_NONE) {
                u32 fail_res;