[PATCH] media: v4l: async: Fix double pointer free on v4l2_async_unregister

linux-renesas-soc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev()
@ 2023-11-30 17:32 Biju Das
  2023-12-11 17:10 ` Biju Das
  0 siblings, 1 reply; 5+ messages in thread
From: Biju Das @ 2023-11-30 17:32 UTC (permalink / raw)
  To: Sakari Ailus, Mauro Carvalho Chehab
  Cc: Biju Das, linux-media, Geert Uytterhoeven, Prabhakar Mahadev Lad,
	Biju Das, linux-renesas-soc

The v4l2_async_unbind_subdev_one() deallocates the pointer
&asc->asc_subdev_entry. The same pointer is again used to
deallocate in list_del() leading to the below kernel crash.

Unable to handle kernel paging request at virtual address dead000000000108
v4l2_async_unregister_subdev+0xf8/0x164
rzg2l_csi2_remove+0x30/0x5c
platform_remove+0x28/0x64
device_remove+0x48/0x74
device_release_driver_internal+0x1d8/0x234
device_driver_detach+0x14/0x1c
unbind_store+0xac/0xb0

Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections between entities")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
---
 drivers/media/v4l2-core/v4l2-async.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c
index 091e8cf4114b..8cfd593d293d 100644
--- a/drivers/media/v4l2-core/v4l2-async.c
+++ b/drivers/media/v4l2-core/v4l2-async.c
@@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct v4l2_subdev *sd)
 				  &asc->notifier->waiting_list);
 
 			v4l2_async_unbind_subdev_one(asc->notifier, asc);
-			list_del(&asc->asc_subdev_entry);
 		}
 	}
 
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* RE: [PATCH] media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev()
  2023-11-30 17:32 [PATCH] media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev() Biju Das
@ 2023-12-11 17:10 ` Biju Das
  2024-01-04 11:05   ` Biju Das
  0 siblings, 1 reply; 5+ messages in thread
From: Biju Das @ 2023-12-11 17:10 UTC (permalink / raw)
  To: Biju Das, Sakari Ailus, Mauro Carvalho Chehab
  Cc: linux-media, Geert Uytterhoeven, Prabhakar Mahadev Lad,
	biju.das.au, linux-renesas-soc

Hi All,

Gentle ping. Are we happy with this fix? Please let me know.

This issue is reproducible on RZ/G2L SMARC EVK.

Cheers,
Biju

> -----Original Message-----
> From: Biju Das <biju.das.jz@bp.renesas.com>
> Sent: Thursday, November 30, 2023 5:33 PM
> Subject: [PATCH] media: v4l: async: Fix double pointer free on
> v4l2_async_unregister_subdev()
> 
> The v4l2_async_unbind_subdev_one() deallocates the pointer &asc-
> >asc_subdev_entry. The same pointer is again used to deallocate in
> list_del() leading to the below kernel crash.
> 
> Unable to handle kernel paging request at virtual address dead000000000108
> v4l2_async_unregister_subdev+0xf8/0x164
> rzg2l_csi2_remove+0x30/0x5c
> platform_remove+0x28/0x64
> device_remove+0x48/0x74
> device_release_driver_internal+0x1d8/0x234
> device_driver_detach+0x14/0x1c
> unbind_store+0xac/0xb0
> 
> Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections
> between entities")
> Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
> ---
>  drivers/media/v4l2-core/v4l2-async.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-
> core/v4l2-async.c
> index 091e8cf4114b..8cfd593d293d 100644
> --- a/drivers/media/v4l2-core/v4l2-async.c
> +++ b/drivers/media/v4l2-core/v4l2-async.c
> @@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct v4l2_subdev
> *sd)
>  				  &asc->notifier->waiting_list);
> 
>  			v4l2_async_unbind_subdev_one(asc->notifier, asc);
> -			list_del(&asc->asc_subdev_entry);
>  		}
>  	}
> 
> --
> 2.25.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [PATCH] media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev()
  2023-12-11 17:10 ` Biju Das
@ 2024-01-04 11:05   ` Biju Das
  2024-01-05  8:30     ` Sakari Ailus
  0 siblings, 1 reply; 5+ messages in thread
From: Biju Das @ 2024-01-04 11:05 UTC (permalink / raw)
  To: Sakari Ailus, Mauro Carvalho Chehab
  Cc: linux-media, Geert Uytterhoeven, Prabhakar Mahadev Lad,
	biju.das.au, linux-renesas-soc

Hi All, 

Gentle ping. Are we happy with this fix? Please let me know.

Cheers,
Biju


> -----Original Message-----
> From: Biju Das <biju.das.jz@bp.renesas.com>
> Sent: Monday, December 11, 2023 5:10 PM
> Subject: RE: [PATCH] media: v4l: async: Fix double pointer free on
> v4l2_async_unregister_subdev()
> 
> Hi All,
> 
> Gentle ping. Are we happy with this fix? Please let me know.
> 
> This issue is reproducible on RZ/G2L SMARC EVK.
> 
> Cheers,
> Biju
> 
> > -----Original Message-----
> > From: Biju Das <biju.das.jz@bp.renesas.com>
> > Sent: Thursday, November 30, 2023 5:33 PM
> > Subject: [PATCH] media: v4l: async: Fix double pointer free on
> > v4l2_async_unregister_subdev()
> >
> > The v4l2_async_unbind_subdev_one() deallocates the pointer &asc-
> > >asc_subdev_entry. The same pointer is again used to deallocate in
> > list_del() leading to the below kernel crash.
> >
> > Unable to handle kernel paging request at virtual address
> > dead000000000108
> > v4l2_async_unregister_subdev+0xf8/0x164
> > rzg2l_csi2_remove+0x30/0x5c
> > platform_remove+0x28/0x64
> > device_remove+0x48/0x74
> > device_release_driver_internal+0x1d8/0x234
> > device_driver_detach+0x14/0x1c
> > unbind_store+0xac/0xb0
> >
> > Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections
> > between entities")
> > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
> > ---
> >  drivers/media/v4l2-core/v4l2-async.c | 1 -
> >  1 file changed, 1 deletion(-)
> >
> > diff --git a/drivers/media/v4l2-core/v4l2-async.c
> > b/drivers/media/v4l2- core/v4l2-async.c index
> > 091e8cf4114b..8cfd593d293d 100644
> > --- a/drivers/media/v4l2-core/v4l2-async.c
> > +++ b/drivers/media/v4l2-core/v4l2-async.c
> > @@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct
> > v4l2_subdev
> > *sd)
> >  				  &asc->notifier->waiting_list);
> >
> >  			v4l2_async_unbind_subdev_one(asc->notifier, asc);
> > -			list_del(&asc->asc_subdev_entry);
> >  		}
> >  	}
> >
> > --
> > 2.25.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev()
  2024-01-04 11:05   ` Biju Das
@ 2024-01-05  8:30     ` Sakari Ailus
  2024-01-05  9:03       ` Biju Das
  0 siblings, 1 reply; 5+ messages in thread
From: Sakari Ailus @ 2024-01-05  8:30 UTC (permalink / raw)
  To: Biju Das
  Cc: Mauro Carvalho Chehab, linux-media, Geert Uytterhoeven,
	Prabhakar Mahadev Lad, biju.das.au, linux-renesas-soc

Hi Biju,

On Thu, Jan 04, 2024 at 11:05:46AM +0000, Biju Das wrote:
> Hi All, 
> 
> Gentle ping. Are we happy with this fix? Please let me know.

Thanks for the patch.

The issue has been fixed by Sebastian's patch (commit
3de6ee94aae701fa949cd3b5df6b6a440ddfb8f2 in media tree master).

-- 
Regards,

Sakari Ailus

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [PATCH] media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev()
  2024-01-05  8:30     ` Sakari Ailus
@ 2024-01-05  9:03       ` Biju Das
  0 siblings, 0 replies; 5+ messages in thread
From: Biju Das @ 2024-01-05  9:03 UTC (permalink / raw)
  To: Sakari Ailus
  Cc: Mauro Carvalho Chehab, linux-media, Geert Uytterhoeven,
	Prabhakar Mahadev Lad, biju.das.au, linux-renesas-soc

Hi Sakari Ailus,

Thanks for the feedback.

> -----Original Message-----
> From: Sakari Ailus <sakari.ailus@linux.intel.com>
> Sent: Friday, January 5, 2024 8:30 AM
> Subject: Re: [PATCH] media: v4l: async: Fix double pointer free on
> v4l2_async_unregister_subdev()
> 
> Hi Biju,
> 
> On Thu, Jan 04, 2024 at 11:05:46AM +0000, Biju Das wrote:
> > Hi All,
> >
> > Gentle ping. Are we happy with this fix? Please let me know.
> 
> Thanks for the patch.
> 
> The issue has been fixed by Sebastian's patch (commit
> 3de6ee94aae701fa949cd3b5df6b6a440ddfb8f2 in media tree master).

OK, I will drop this patch.

I got new info using CONFIG_DEBUG_LIST for list_del corruption issues.
For me, the issue hits with unbinding the driver.

Cheers,
Biju

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-01-05  9:03 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-30 17:32 [PATCH] media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev() Biju Das
2023-12-11 17:10 ` Biju Das
2024-01-04 11:05   ` Biju Das
2024-01-05  8:30     ` Sakari Ailus
2024-01-05  9:03       ` Biju Das

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).