drivers: media: pisp_be: Fix use after free in job queue logic

naushir · naushir · commit 3e4f99e060ba · 2025-08-14T07:48:56.000+01:00
pispbe_schedule() currently takes a node group as a parameter, which is
left over from before the job prepare/scheduling refactoring. This is
now invalid, as jobs are executed in the order which they were queued.

As part of this old code, there was a check if the current node group
mached the node group of the job, and if unmathched, use a "continue"
statement. This is invalid as there is no loop to iterate over any more.
The reason this was not a compile bug is because of the for loop used
as part of the scoped_guard macro.

A consequence of breaking out of the scoped_guard loop early is that
the job structure gets freed, but not actually removed from the queue
and may be accessed after freeing.

Fix this by removing the node group test in pispbe_schedule() as it is
no longer valid to use.

Signed-off-by: Naushir Patuck &lt;naush@raspberrypi.com&gt;
diff --git a/drivers/media/platform/raspberrypi/pisp_be/pisp_be.c b/drivers/media/platform/raspberrypi/pisp_be/pisp_be.c
@@ -594,9 +594,7 @@ static int pispbe_prepare_job(struct pispbe_node_group *node_group)
 	return -ENODEV;
 }
 
-static void pispbe_schedule(struct pispbe_dev *pispbe,
-			    struct pispbe_node_group *node_group,
-			    bool clear_hw_busy)
+static void pispbe_schedule(struct pispbe_dev *pispbe, bool clear_hw_busy)
 {
 	struct pispbe_job_descriptor *job;
 
@@ -613,9 +611,6 @@ static void pispbe_schedule(struct pispbe_dev *pispbe,
 		if (!job)
 			return;
 
-		if (node_group && job->node_group != node_group)
-			continue;
-
 		list_del(&job->queue);
 
 		for (unsigned int i = 0; i < PISPBE_NUM_NODES; i++)
@@ -703,7 +698,7 @@ static irqreturn_t pispbe_isr(int irq, void *dev)
 	}
 
 	/* check if there's more to do before going to sleep */
-	pispbe_schedule(pispbe, NULL, can_queue_another);
+	pispbe_schedule(pispbe, can_queue_another);
 
 	return IRQ_HANDLED;
 }
@@ -894,7 +889,7 @@ static void pispbe_node_buffer_queue(struct vb2_buffer *buf)
 	 * to do, but only for this client.
 	 */
 	if (!pispbe_prepare_job(node_group))
-		pispbe_schedule(pispbe, node_group, false);
+		pispbe_schedule(pispbe, false);
 }
 
 static int pispbe_node_start_streaming(struct vb2_queue *q, unsigned int count)
@@ -921,7 +916,7 @@ static int pispbe_node_start_streaming(struct vb2_queue *q, unsigned int count)
 
 	/* Maybe we're ready to run. */
 	if (!pispbe_prepare_job(node_group))
-		pispbe_schedule(pispbe, node_group, false);
+		pispbe_schedule(pispbe, false);
 
 	return 0;
 
