Re: [PATCH v3] media: iris: fix use-after-free of fmt_src during MBPF check

From: Dikshita Agarwal

Date: Fri Mar 06 2026 - 00:06:44 EST



On 3/5/2026 6:58 PM, Vishnu Reddy wrote:
> During concurrency testing, multiple instances can run in parallel, and
> each instance uses its own inst->lock while the core->lock protects the
> list of active instances. The race happens because these locks cover
> different scopes, inst->lock protects only the internals of a single
> instance, while the Macro Blocks Per Frame (MBPF) checker walks the
> core list under core->lock and reads fields like fmt_src->width and
> fmt_src->height. At the same time, iris_close() may free fmt_src and
> fmt_dst under inst->lock while the instance is still present in the core
> list. This allows a situation where the MBPF checker, still iterating
> through the core list, reaches an instance whose fmt_src was already
> freed by another thread and ends up dereferencing a dangling pointer,
> resulting in a use-after-free. This happens because the MBPF checker
> assumes that any instance in the core list is fully valid, but the
> freeing of fmt_src and fmt_dst without removing the instance from the
> core list is not correct.
>
> The correct ordering is to defer freeing fmt_src and fmt_dst until after
> the instance has been removed from the core list and all teardown under
> the core lock has completed, ensuring that no dangling pointers are ever
> exposed during MBPF checks.
>
> Fixes: 5ad964ad5656 ("media: iris: Initialize and deinitialize encoder instance structure")
> Cc: stable@xxxxxxxxxxxxxxx
> Reviewed-by: Vikash Garodia <vikash.garodia@xxxxxxxxxxxxxxxx>
> Signed-off-by: Vishnu Reddy <busanna.reddy@xxxxxxxxxxxxxxxx>
> ---
> Changes in v3:
> - Removed global word from the commit description
> - Added MBPF full form in the commit description
> - Link to v2: https://lore.kernel.org/r/20260304-fix-use-after-free-of-fmt_src-during-mbpf-v2-1-b4c78d1bf764@xxxxxxxxxxxxxxxx
>
> Changes in v2:
> - Updated the commit description
> - Added Fixes tag and Cc stable
> - Link to v1: https://lore.kernel.org/r/20260227-fix-use-after-free-of-fmt_src-during-mbpf-v1-1-307cdafffa2a@xxxxxxxxxxxxxxxx
> ---
> drivers/media/platform/qcom/iris/iris_vdec.c | 6 ------
> drivers/media/platform/qcom/iris/iris_vdec.h | 1 -
> drivers/media/platform/qcom/iris/iris_venc.c | 6 ------
> drivers/media/platform/qcom/iris/iris_venc.h | 1 -
> drivers/media/platform/qcom/iris/iris_vidc.c | 6 ++----
> 5 files changed, 2 insertions(+), 18 deletions(-)
>

Reviewed-by: Dikshita Agarwal <dikshita.agarwal@xxxxxxxxxxxxxxxx>

Thanks,
Dikshita