* [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference
@ 2021-11-01 14:53 Hans de Goede
2021-11-06 12:38 ` Hans de Goede
0 siblings, 1 reply; 4+ messages in thread
From: Hans de Goede @ 2021-11-01 14:53 UTC (permalink / raw)
To: Tomasz Figa, Marek Szyprowski, Mauro Carvalho Chehab
Cc: Hans de Goede, Sumit Semwal, Christian König, linux-media,
Sergey Senozhatsky
Commit a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
added a new vb member to struct vb2_dma_sg_buf, but it only added
code setting this to the vb2_dma_sg_alloc() function and not to the
vb2_dma_sg_get_userptr() and vb2_dma_sg_attach_dmabuf() which also
create vb2_dma_sg_buf objects.
This is causing a crash due to a NULL pointer deref when using
libcamera on devices with an Intel IPU3 (qcam app).
Fix these crashes by assigning buf->vb in the other 2 functions too,
note libcamera tests the vb2_dma_sg_get_userptr() path, the change
to the vb2_dma_sg_attach_dmabuf() path is untested.
Fixes: a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
drivers/media/common/videobuf2/videobuf2-dma-sg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
index 33ee63a99139..0452ed9fac95 100644
--- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
+++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
@@ -241,6 +241,7 @@ static void *vb2_dma_sg_get_userptr(struct vb2_buffer *vb, struct device *dev,
buf->offset = vaddr & ~PAGE_MASK;
buf->size = size;
buf->dma_sgt = &buf->sg_table;
+ buf->vb = vb;
vec = vb2_create_framevec(vaddr, size);
if (IS_ERR(vec))
goto userptr_fail_pfnvec;
@@ -642,6 +643,7 @@ static void *vb2_dma_sg_attach_dmabuf(struct vb2_buffer *vb, struct device *dev,
buf->dma_dir = vb->vb2_queue->dma_dir;
buf->size = size;
buf->db_attach = dba;
+ buf->vb = vb;
return buf;
}
--
2.31.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference
2021-11-01 14:53 [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference Hans de Goede
@ 2021-11-06 12:38 ` Hans de Goede
2021-11-15 8:54 ` Tomasz Figa
0 siblings, 1 reply; 4+ messages in thread
From: Hans de Goede @ 2021-11-06 12:38 UTC (permalink / raw)
To: Tomasz Figa, Marek Szyprowski, Mauro Carvalho Chehab
Cc: Sumit Semwal, Christian König, linux-media, Sergey Senozhatsky
Hi,
On 11/1/21 15:53, Hans de Goede wrote:
> Commit a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
> added a new vb member to struct vb2_dma_sg_buf, but it only added
> code setting this to the vb2_dma_sg_alloc() function and not to the
> vb2_dma_sg_get_userptr() and vb2_dma_sg_attach_dmabuf() which also
> create vb2_dma_sg_buf objects.
>
> This is causing a crash due to a NULL pointer deref when using
> libcamera on devices with an Intel IPU3 (qcam app).
>
> Fix these crashes by assigning buf->vb in the other 2 functions too,
> note libcamera tests the vb2_dma_sg_get_userptr() path, the change
> to the vb2_dma_sg_attach_dmabuf() path is untested.
>
> Fixes: a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
> Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Ping ? This is still an issue in the current media-staging tree.
Regards,
Hans
> ---
> drivers/media/common/videobuf2/videobuf2-dma-sg.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> index 33ee63a99139..0452ed9fac95 100644
> --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> @@ -241,6 +241,7 @@ static void *vb2_dma_sg_get_userptr(struct vb2_buffer *vb, struct device *dev,
> buf->offset = vaddr & ~PAGE_MASK;
> buf->size = size;
> buf->dma_sgt = &buf->sg_table;
> + buf->vb = vb;
> vec = vb2_create_framevec(vaddr, size);
> if (IS_ERR(vec))
> goto userptr_fail_pfnvec;
> @@ -642,6 +643,7 @@ static void *vb2_dma_sg_attach_dmabuf(struct vb2_buffer *vb, struct device *dev,
> buf->dma_dir = vb->vb2_queue->dma_dir;
> buf->size = size;
> buf->db_attach = dba;
> + buf->vb = vb;
>
> return buf;
> }
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference
2021-11-06 12:38 ` Hans de Goede
@ 2021-11-15 8:54 ` Tomasz Figa
2021-11-15 11:20 ` Hans Verkuil
0 siblings, 1 reply; 4+ messages in thread
From: Tomasz Figa @ 2021-11-15 8:54 UTC (permalink / raw)
To: Hans de Goede, Hans Verkuil
Cc: Marek Szyprowski, Mauro Carvalho Chehab, Sumit Semwal,
Christian König, linux-media, Sergey Senozhatsky
Hi Hans,
On Sat, Nov 6, 2021 at 9:39 PM Hans de Goede <hdegoede@redhat.com> wrote:
>
> Hi,
>
> On 11/1/21 15:53, Hans de Goede wrote:
> > Commit a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
> > added a new vb member to struct vb2_dma_sg_buf, but it only added
> > code setting this to the vb2_dma_sg_alloc() function and not to the
> > vb2_dma_sg_get_userptr() and vb2_dma_sg_attach_dmabuf() which also
> > create vb2_dma_sg_buf objects.
> >
> > This is causing a crash due to a NULL pointer deref when using
> > libcamera on devices with an Intel IPU3 (qcam app).
> >
> > Fix these crashes by assigning buf->vb in the other 2 functions too,
> > note libcamera tests the vb2_dma_sg_get_userptr() path, the change
> > to the vb2_dma_sg_attach_dmabuf() path is untested.
> >
> > Fixes: a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
> > Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
> > Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>
> Ping ? This is still an issue in the current media-staging tree.
Uh, sorry, I thought this was already fixed by [1], but that was only
for the dma-contig allocator. Thanks for the patch.
Acked-by: Tomasz Figa <tfiga@chromium.org>
[1] https://patchwork.kernel.org/project/linux-media/patch/20210928034634.333785-1-senozhatsky@chromium.org/
Hans (V.), would you pick this fix, please?
Best regards,
Tomasz
>
> Regards,
>
> Hans
>
>
> > ---
> > drivers/media/common/videobuf2/videobuf2-dma-sg.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> > index 33ee63a99139..0452ed9fac95 100644
> > --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> > +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> > @@ -241,6 +241,7 @@ static void *vb2_dma_sg_get_userptr(struct vb2_buffer *vb, struct device *dev,
> > buf->offset = vaddr & ~PAGE_MASK;
> > buf->size = size;
> > buf->dma_sgt = &buf->sg_table;
> > + buf->vb = vb;
> > vec = vb2_create_framevec(vaddr, size);
> > if (IS_ERR(vec))
> > goto userptr_fail_pfnvec;
> > @@ -642,6 +643,7 @@ static void *vb2_dma_sg_attach_dmabuf(struct vb2_buffer *vb, struct device *dev,
> > buf->dma_dir = vb->vb2_queue->dma_dir;
> > buf->size = size;
> > buf->db_attach = dba;
> > + buf->vb = vb;
> >
> > return buf;
> > }
> >
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference
2021-11-15 8:54 ` Tomasz Figa
@ 2021-11-15 11:20 ` Hans Verkuil
0 siblings, 0 replies; 4+ messages in thread
From: Hans Verkuil @ 2021-11-15 11:20 UTC (permalink / raw)
To: Tomasz Figa, Hans de Goede
Cc: Marek Szyprowski, Mauro Carvalho Chehab, Sumit Semwal,
Christian König, linux-media, Sergey Senozhatsky
On 15/11/2021 09:54, Tomasz Figa wrote:
> Hi Hans,
>
> On Sat, Nov 6, 2021 at 9:39 PM Hans de Goede <hdegoede@redhat.com> wrote:
>>
>> Hi,
>>
>> On 11/1/21 15:53, Hans de Goede wrote:
>>> Commit a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
>>> added a new vb member to struct vb2_dma_sg_buf, but it only added
>>> code setting this to the vb2_dma_sg_alloc() function and not to the
>>> vb2_dma_sg_get_userptr() and vb2_dma_sg_attach_dmabuf() which also
>>> create vb2_dma_sg_buf objects.
>>>
>>> This is causing a crash due to a NULL pointer deref when using
>>> libcamera on devices with an Intel IPU3 (qcam app).
>>>
>>> Fix these crashes by assigning buf->vb in the other 2 functions too,
>>> note libcamera tests the vb2_dma_sg_get_userptr() path, the change
>>> to the vb2_dma_sg_attach_dmabuf() path is untested.
>>>
>>> Fixes: a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
>>> Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
>>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>>
>> Ping ? This is still an issue in the current media-staging tree.
>
> Uh, sorry, I thought this was already fixed by [1], but that was only
> for the dma-contig allocator. Thanks for the patch.
>
> Acked-by: Tomasz Figa <tfiga@chromium.org>
>
> [1] https://patchwork.kernel.org/project/linux-media/patch/20210928034634.333785-1-senozhatsky@chromium.org/
>
> Hans (V.), would you pick this fix, please?
Yes, it's in a PR I posted for 5.16.
Regards,
Hans
>
> Best regards,
> Tomasz
>
>>
>> Regards,
>>
>> Hans
>>
>>
>>> ---
>>> drivers/media/common/videobuf2/videobuf2-dma-sg.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
>>> index 33ee63a99139..0452ed9fac95 100644
>>> --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
>>> +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
>>> @@ -241,6 +241,7 @@ static void *vb2_dma_sg_get_userptr(struct vb2_buffer *vb, struct device *dev,
>>> buf->offset = vaddr & ~PAGE_MASK;
>>> buf->size = size;
>>> buf->dma_sgt = &buf->sg_table;
>>> + buf->vb = vb;
>>> vec = vb2_create_framevec(vaddr, size);
>>> if (IS_ERR(vec))
>>> goto userptr_fail_pfnvec;
>>> @@ -642,6 +643,7 @@ static void *vb2_dma_sg_attach_dmabuf(struct vb2_buffer *vb, struct device *dev,
>>> buf->dma_dir = vb->vb2_queue->dma_dir;
>>> buf->size = size;
>>> buf->db_attach = dba;
>>> + buf->vb = vb;
>>>
>>> return buf;
>>> }
>>>
>>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-11-15 11:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-01 14:53 [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference Hans de Goede
2021-11-06 12:38 ` Hans de Goede
2021-11-15 8:54 ` Tomasz Figa
2021-11-15 11:20 ` Hans Verkuil
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).