[PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference

linux-media.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference
@ 2021-11-01 14:53 Hans de Goede
  2021-11-06 12:38 ` Hans de Goede
  0 siblings, 1 reply; 4+ messages in thread
From: Hans de Goede @ 2021-11-01 14:53 UTC (permalink / raw)
  To: Tomasz Figa, Marek Szyprowski, Mauro Carvalho Chehab
  Cc: Hans de Goede, Sumit Semwal, Christian König, linux-media,
	Sergey Senozhatsky

Commit a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
added a new vb member to struct vb2_dma_sg_buf, but it only added
code setting this to the vb2_dma_sg_alloc() function and not to the
vb2_dma_sg_get_userptr() and vb2_dma_sg_attach_dmabuf() which also
create vb2_dma_sg_buf objects.

This is causing a crash due to a NULL pointer deref when using
libcamera on devices with an Intel IPU3 (qcam app).

Fix these crashes by assigning buf->vb in the other 2 functions too,
note libcamera tests the vb2_dma_sg_get_userptr() path, the change
to the vb2_dma_sg_attach_dmabuf() path is untested.

Fixes: a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 drivers/media/common/videobuf2/videobuf2-dma-sg.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
index 33ee63a99139..0452ed9fac95 100644
--- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
+++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
@@ -241,6 +241,7 @@ static void *vb2_dma_sg_get_userptr(struct vb2_buffer *vb, struct device *dev,
 	buf->offset = vaddr & ~PAGE_MASK;
 	buf->size = size;
 	buf->dma_sgt = &buf->sg_table;
+	buf->vb = vb;
 	vec = vb2_create_framevec(vaddr, size);
 	if (IS_ERR(vec))
 		goto userptr_fail_pfnvec;
@@ -642,6 +643,7 @@ static void *vb2_dma_sg_attach_dmabuf(struct vb2_buffer *vb, struct device *dev,
 	buf->dma_dir = vb->vb2_queue->dma_dir;
 	buf->size = size;
 	buf->db_attach = dba;
+	buf->vb = vb;
 
 	return buf;
 }
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference
  2021-11-01 14:53 [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference Hans de Goede
@ 2021-11-06 12:38 ` Hans de Goede
  2021-11-15  8:54   ` Tomasz Figa
  0 siblings, 1 reply; 4+ messages in thread
From: Hans de Goede @ 2021-11-06 12:38 UTC (permalink / raw)
  To: Tomasz Figa, Marek Szyprowski, Mauro Carvalho Chehab
  Cc: Sumit Semwal, Christian König, linux-media, Sergey Senozhatsky

Hi,

On 11/1/21 15:53, Hans de Goede wrote:
> Commit a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
> added a new vb member to struct vb2_dma_sg_buf, but it only added
> code setting this to the vb2_dma_sg_alloc() function and not to the
> vb2_dma_sg_get_userptr() and vb2_dma_sg_attach_dmabuf() which also
> create vb2_dma_sg_buf objects.
> 
> This is causing a crash due to a NULL pointer deref when using
> libcamera on devices with an Intel IPU3 (qcam app).
> 
> Fix these crashes by assigning buf->vb in the other 2 functions too,
> note libcamera tests the vb2_dma_sg_get_userptr() path, the change
> to the vb2_dma_sg_attach_dmabuf() path is untested.
> 
> Fixes: a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
> Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>

Ping ? This is still an issue in the current media-staging tree.

Regards,

Hans


> ---
>  drivers/media/common/videobuf2/videobuf2-dma-sg.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> index 33ee63a99139..0452ed9fac95 100644
> --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> @@ -241,6 +241,7 @@ static void *vb2_dma_sg_get_userptr(struct vb2_buffer *vb, struct device *dev,
>  	buf->offset = vaddr & ~PAGE_MASK;
>  	buf->size = size;
>  	buf->dma_sgt = &buf->sg_table;
> +	buf->vb = vb;
>  	vec = vb2_create_framevec(vaddr, size);
>  	if (IS_ERR(vec))
>  		goto userptr_fail_pfnvec;
> @@ -642,6 +643,7 @@ static void *vb2_dma_sg_attach_dmabuf(struct vb2_buffer *vb, struct device *dev,
>  	buf->dma_dir = vb->vb2_queue->dma_dir;
>  	buf->size = size;
>  	buf->db_attach = dba;
> +	buf->vb = vb;
>  
>  	return buf;
>  }
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference
  2021-11-06 12:38 ` Hans de Goede
@ 2021-11-15  8:54   ` Tomasz Figa
  2021-11-15 11:20     ` Hans Verkuil
  0 siblings, 1 reply; 4+ messages in thread
From: Tomasz Figa @ 2021-11-15  8:54 UTC (permalink / raw)
  To: Hans de Goede, Hans Verkuil
  Cc: Marek Szyprowski, Mauro Carvalho Chehab, Sumit Semwal,
	Christian König, linux-media, Sergey Senozhatsky

Hi Hans,

On Sat, Nov 6, 2021 at 9:39 PM Hans de Goede <hdegoede@redhat.com> wrote:
>
> Hi,
>
> On 11/1/21 15:53, Hans de Goede wrote:
> > Commit a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
> > added a new vb member to struct vb2_dma_sg_buf, but it only added
> > code setting this to the vb2_dma_sg_alloc() function and not to the
> > vb2_dma_sg_get_userptr() and vb2_dma_sg_attach_dmabuf() which also
> > create vb2_dma_sg_buf objects.
> >
> > This is causing a crash due to a NULL pointer deref when using
> > libcamera on devices with an Intel IPU3 (qcam app).
> >
> > Fix these crashes by assigning buf->vb in the other 2 functions too,
> > note libcamera tests the vb2_dma_sg_get_userptr() path, the change
> > to the vb2_dma_sg_attach_dmabuf() path is untested.
> >
> > Fixes: a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
> > Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
> > Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>
> Ping ? This is still an issue in the current media-staging tree.

Uh, sorry, I thought this was already fixed by [1], but that was only
for the dma-contig allocator. Thanks for the patch.

Acked-by: Tomasz Figa <tfiga@chromium.org>

[1] https://patchwork.kernel.org/project/linux-media/patch/20210928034634.333785-1-senozhatsky@chromium.org/

Hans (V.), would you pick this fix, please?

Best regards,
Tomasz

>
> Regards,
>
> Hans
>
>
> > ---
> >  drivers/media/common/videobuf2/videobuf2-dma-sg.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> > index 33ee63a99139..0452ed9fac95 100644
> > --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> > +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
> > @@ -241,6 +241,7 @@ static void *vb2_dma_sg_get_userptr(struct vb2_buffer *vb, struct device *dev,
> >       buf->offset = vaddr & ~PAGE_MASK;
> >       buf->size = size;
> >       buf->dma_sgt = &buf->sg_table;
> > +     buf->vb = vb;
> >       vec = vb2_create_framevec(vaddr, size);
> >       if (IS_ERR(vec))
> >               goto userptr_fail_pfnvec;
> > @@ -642,6 +643,7 @@ static void *vb2_dma_sg_attach_dmabuf(struct vb2_buffer *vb, struct device *dev,
> >       buf->dma_dir = vb->vb2_queue->dma_dir;
> >       buf->size = size;
> >       buf->db_attach = dba;
> > +     buf->vb = vb;
> >
> >       return buf;
> >  }
> >
>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference
  2021-11-15  8:54   ` Tomasz Figa
@ 2021-11-15 11:20     ` Hans Verkuil
  0 siblings, 0 replies; 4+ messages in thread
From: Hans Verkuil @ 2021-11-15 11:20 UTC (permalink / raw)
  To: Tomasz Figa, Hans de Goede
  Cc: Marek Szyprowski, Mauro Carvalho Chehab, Sumit Semwal,
	Christian König, linux-media, Sergey Senozhatsky

On 15/11/2021 09:54, Tomasz Figa wrote:
> Hi Hans,
> 
> On Sat, Nov 6, 2021 at 9:39 PM Hans de Goede <hdegoede@redhat.com> wrote:
>>
>> Hi,
>>
>> On 11/1/21 15:53, Hans de Goede wrote:
>>> Commit a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
>>> added a new vb member to struct vb2_dma_sg_buf, but it only added
>>> code setting this to the vb2_dma_sg_alloc() function and not to the
>>> vb2_dma_sg_get_userptr() and vb2_dma_sg_attach_dmabuf() which also
>>> create vb2_dma_sg_buf objects.
>>>
>>> This is causing a crash due to a NULL pointer deref when using
>>> libcamera on devices with an Intel IPU3 (qcam app).
>>>
>>> Fix these crashes by assigning buf->vb in the other 2 functions too,
>>> note libcamera tests the vb2_dma_sg_get_userptr() path, the change
>>> to the vb2_dma_sg_attach_dmabuf() path is untested.
>>>
>>> Fixes: a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
>>> Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
>>> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
>>
>> Ping ? This is still an issue in the current media-staging tree.
> 
> Uh, sorry, I thought this was already fixed by [1], but that was only
> for the dma-contig allocator. Thanks for the patch.
> 
> Acked-by: Tomasz Figa <tfiga@chromium.org>
> 
> [1] https://patchwork.kernel.org/project/linux-media/patch/20210928034634.333785-1-senozhatsky@chromium.org/
> 
> Hans (V.), would you pick this fix, please?

Yes, it's in a PR I posted for 5.16.

Regards,

	Hans

> 
> Best regards,
> Tomasz
> 
>>
>> Regards,
>>
>> Hans
>>
>>
>>> ---
>>>  drivers/media/common/videobuf2/videobuf2-dma-sg.c | 2 ++
>>>  1 file changed, 2 insertions(+)
>>>
>>> diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
>>> index 33ee63a99139..0452ed9fac95 100644
>>> --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
>>> +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
>>> @@ -241,6 +241,7 @@ static void *vb2_dma_sg_get_userptr(struct vb2_buffer *vb, struct device *dev,
>>>       buf->offset = vaddr & ~PAGE_MASK;
>>>       buf->size = size;
>>>       buf->dma_sgt = &buf->sg_table;
>>> +     buf->vb = vb;
>>>       vec = vb2_create_framevec(vaddr, size);
>>>       if (IS_ERR(vec))
>>>               goto userptr_fail_pfnvec;
>>> @@ -642,6 +643,7 @@ static void *vb2_dma_sg_attach_dmabuf(struct vb2_buffer *vb, struct device *dev,
>>>       buf->dma_dir = vb->vb2_queue->dma_dir;
>>>       buf->size = size;
>>>       buf->db_attach = dba;
>>> +     buf->vb = vb;
>>>
>>>       return buf;
>>>  }
>>>
>>


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-11-15 11:20 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-01 14:53 [PATCH media-staging regression fix] media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference Hans de Goede
2021-11-06 12:38 ` Hans de Goede
2021-11-15  8:54   ` Tomasz Figa
2021-11-15 11:20     ` Hans Verkuil

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).