* [PATCH] media: staging/intel-ipu3: Finalize subdev initialization to allcoate active state
@ 2022-09-07 12:33 Maximilian Luz
2022-09-07 12:46 ` Tomi Valkeinen
0 siblings, 1 reply; 4+ messages in thread
From: Maximilian Luz @ 2022-09-07 12:33 UTC (permalink / raw)
To: Sakari Ailus
Cc: Bingbu Cao, Tianshu Qiu, Mauro Carvalho Chehab,
Greg Kroah-Hartman, Tomi Valkeinen, Laurent Pinchart,
Jacopo Mondi, Hans Verkuil, linux-media, linux-staging,
linux-kernel, Maximilian Luz
Commit f69952a4dc1e ("media: subdev: add active state to struct
v4l2_subdev") introduced the active_state member to struct v4l2_subdev.
This state needs to be allocated via v4l2_subdev_init_finalize(). The
intel-ipu3 driver unfortunately does not do that, due to which,
active_state is NULL and we run into an oops (NULL pointer dereference)
when that state is accessed.
In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381
("media: subdev: pass also the active state to subdevs from ioctls")
passes that state on to the subdev IOCTLs. An example scenario where
this happens is running libcamera's qcam or cam on a device with IPU3,
for example the Microsoft Surface Book 2. In this case, the oops is
reproducibly in v4l2_subdev_get_try_crop(), called via
imgu_subdev_set_selection().
To fix this, allocate the active_state member via
v4l2_subdev_init_finalize().
Link: https://github.com/linux-surface/linux-surface/issues/907
Fixes: 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls")
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
---
drivers/staging/media/ipu3/ipu3-v4l2.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
index d1c539cefba8..84ab98ba9a2e 100644
--- a/drivers/staging/media/ipu3/ipu3-v4l2.c
+++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
@@ -1093,10 +1093,18 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
"failed to create subdev v4l2 ctrl with err %d", r);
goto fail_subdev;
}
+
+ r = v4l2_subdev_init_finalize(&imgu_sd->subdev);
+ if (r) {
+ dev_err(&imgu->pci_dev->dev,
+ "failed to initialize subdev (%d)\n", r);
+ goto fail_subdev;
+ }
+
r = v4l2_device_register_subdev(&imgu->v4l2_dev, &imgu_sd->subdev);
if (r) {
dev_err(&imgu->pci_dev->dev,
- "failed initialize subdev (%d)\n", r);
+ "failed to register subdev (%d)\n", r);
goto fail_subdev;
}
@@ -1104,6 +1112,7 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
return 0;
fail_subdev:
+ v4l2_subdev_cleanup(&imgu_sd->subdev);
v4l2_ctrl_handler_free(imgu_sd->subdev.ctrl_handler);
media_entity_cleanup(&imgu_sd->subdev.entity);
@@ -1275,6 +1284,7 @@ static void imgu_v4l2_subdev_cleanup(struct imgu_device *imgu, unsigned int i)
struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[i];
v4l2_device_unregister_subdev(&imgu_pipe->imgu_sd.subdev);
+ v4l2_subdev_cleanup(&imgu_pipe->imgu_sd.subdev);
v4l2_ctrl_handler_free(imgu_pipe->imgu_sd.subdev.ctrl_handler);
media_entity_cleanup(&imgu_pipe->imgu_sd.subdev.entity);
}
--
2.37.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] media: staging/intel-ipu3: Finalize subdev initialization to allcoate active state
2022-09-07 12:33 [PATCH] media: staging/intel-ipu3: Finalize subdev initialization to allcoate active state Maximilian Luz
@ 2022-09-07 12:46 ` Tomi Valkeinen
2022-09-07 13:09 ` Laurent Pinchart
2022-09-07 13:18 ` Maximilian Luz
0 siblings, 2 replies; 4+ messages in thread
From: Tomi Valkeinen @ 2022-09-07 12:46 UTC (permalink / raw)
To: Maximilian Luz, Sakari Ailus
Cc: Bingbu Cao, Tianshu Qiu, Mauro Carvalho Chehab,
Greg Kroah-Hartman, Laurent Pinchart, Jacopo Mondi, Hans Verkuil,
linux-media, linux-staging, linux-kernel
Hi Maximilian,
On 07/09/2022 15:33, Maximilian Luz wrote:
> Commit f69952a4dc1e ("media: subdev: add active state to struct
> v4l2_subdev") introduced the active_state member to struct v4l2_subdev.
> This state needs to be allocated via v4l2_subdev_init_finalize(). The
> intel-ipu3 driver unfortunately does not do that, due to which,
That is fine, a driver only needs to allocate the active state if it uses
the active state.
> active_state is NULL and we run into an oops (NULL pointer dereference)
> when that state is accessed.
>
> In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381
> ("media: subdev: pass also the active state to subdevs from ioctls")
> passes that state on to the subdev IOCTLs. An example scenario where
> this happens is running libcamera's qcam or cam on a device with IPU3,
> for example the Microsoft Surface Book 2. In this case, the oops is
> reproducibly in v4l2_subdev_get_try_crop(), called via
> imgu_subdev_set_selection().
>
> To fix this, allocate the active_state member via
> v4l2_subdev_init_finalize().
This is not a correct fix. Sakari has sent (and maybe pushed?) this:
https://lore.kernel.org/all/20220825190351.3241444-1-sakari.ailus@linux.intel.com/
Tomi
> Link: https://github.com/linux-surface/linux-surface/issues/907
> Fixes: 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls")
> Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
> ---
> drivers/staging/media/ipu3/ipu3-v4l2.c | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
> index d1c539cefba8..84ab98ba9a2e 100644
> --- a/drivers/staging/media/ipu3/ipu3-v4l2.c
> +++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
> @@ -1093,10 +1093,18 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
> "failed to create subdev v4l2 ctrl with err %d", r);
> goto fail_subdev;
> }
> +
> + r = v4l2_subdev_init_finalize(&imgu_sd->subdev);
> + if (r) {
> + dev_err(&imgu->pci_dev->dev,
> + "failed to initialize subdev (%d)\n", r);
> + goto fail_subdev;
> + }
> +
> r = v4l2_device_register_subdev(&imgu->v4l2_dev, &imgu_sd->subdev);
> if (r) {
> dev_err(&imgu->pci_dev->dev,
> - "failed initialize subdev (%d)\n", r);
> + "failed to register subdev (%d)\n", r);
> goto fail_subdev;
> }
>
> @@ -1104,6 +1112,7 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
> return 0;
>
> fail_subdev:
> + v4l2_subdev_cleanup(&imgu_sd->subdev);
> v4l2_ctrl_handler_free(imgu_sd->subdev.ctrl_handler);
> media_entity_cleanup(&imgu_sd->subdev.entity);
>
> @@ -1275,6 +1284,7 @@ static void imgu_v4l2_subdev_cleanup(struct imgu_device *imgu, unsigned int i)
> struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[i];
>
> v4l2_device_unregister_subdev(&imgu_pipe->imgu_sd.subdev);
> + v4l2_subdev_cleanup(&imgu_pipe->imgu_sd.subdev);
> v4l2_ctrl_handler_free(imgu_pipe->imgu_sd.subdev.ctrl_handler);
> media_entity_cleanup(&imgu_pipe->imgu_sd.subdev.entity);
> }
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] media: staging/intel-ipu3: Finalize subdev initialization to allcoate active state
2022-09-07 12:46 ` Tomi Valkeinen
@ 2022-09-07 13:09 ` Laurent Pinchart
2022-09-07 13:18 ` Maximilian Luz
1 sibling, 0 replies; 4+ messages in thread
From: Laurent Pinchart @ 2022-09-07 13:09 UTC (permalink / raw)
To: Tomi Valkeinen
Cc: Maximilian Luz, Sakari Ailus, Bingbu Cao, Tianshu Qiu,
Mauro Carvalho Chehab, Greg Kroah-Hartman, Jacopo Mondi,
Hans Verkuil, linux-media, linux-staging, linux-kernel
On Wed, Sep 07, 2022 at 03:46:26PM +0300, Tomi Valkeinen wrote:
> Hi Maximilian,
>
> On 07/09/2022 15:33, Maximilian Luz wrote:
> > Commit f69952a4dc1e ("media: subdev: add active state to struct
> > v4l2_subdev") introduced the active_state member to struct v4l2_subdev.
> > This state needs to be allocated via v4l2_subdev_init_finalize(). The
> > intel-ipu3 driver unfortunately does not do that, due to which,
>
> That is fine, a driver only needs to allocate the active state if it uses
> the active state.
>
> > active_state is NULL and we run into an oops (NULL pointer dereference)
> > when that state is accessed.
> >
> > In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381
> > ("media: subdev: pass also the active state to subdevs from ioctls")
> > passes that state on to the subdev IOCTLs. An example scenario where
> > this happens is running libcamera's qcam or cam on a device with IPU3,
> > for example the Microsoft Surface Book 2. In this case, the oops is
> > reproducibly in v4l2_subdev_get_try_crop(), called via
> > imgu_subdev_set_selection().
> >
> > To fix this, allocate the active_state member via
> > v4l2_subdev_init_finalize().
>
> This is not a correct fix. Sakari has sent (and maybe pushed?) this:
>
> https://lore.kernel.org/all/20220825190351.3241444-1-sakari.ailus@linux.intel.com/
This being said, it would be nice to convert drivers to use the active
state, but that's not related to fixing this issue.
> > Link: https://github.com/linux-surface/linux-surface/issues/907
> > Fixes: 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls")
> > Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
> > ---
> > drivers/staging/media/ipu3/ipu3-v4l2.c | 12 +++++++++++-
> > 1 file changed, 11 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
> > index d1c539cefba8..84ab98ba9a2e 100644
> > --- a/drivers/staging/media/ipu3/ipu3-v4l2.c
> > +++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
> > @@ -1093,10 +1093,18 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
> > "failed to create subdev v4l2 ctrl with err %d", r);
> > goto fail_subdev;
> > }
> > +
> > + r = v4l2_subdev_init_finalize(&imgu_sd->subdev);
> > + if (r) {
> > + dev_err(&imgu->pci_dev->dev,
> > + "failed to initialize subdev (%d)\n", r);
> > + goto fail_subdev;
> > + }
> > +
> > r = v4l2_device_register_subdev(&imgu->v4l2_dev, &imgu_sd->subdev);
> > if (r) {
> > dev_err(&imgu->pci_dev->dev,
> > - "failed initialize subdev (%d)\n", r);
> > + "failed to register subdev (%d)\n", r);
> > goto fail_subdev;
> > }
> >
> > @@ -1104,6 +1112,7 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
> > return 0;
> >
> > fail_subdev:
> > + v4l2_subdev_cleanup(&imgu_sd->subdev);
> > v4l2_ctrl_handler_free(imgu_sd->subdev.ctrl_handler);
> > media_entity_cleanup(&imgu_sd->subdev.entity);
> >
> > @@ -1275,6 +1284,7 @@ static void imgu_v4l2_subdev_cleanup(struct imgu_device *imgu, unsigned int i)
> > struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[i];
> >
> > v4l2_device_unregister_subdev(&imgu_pipe->imgu_sd.subdev);
> > + v4l2_subdev_cleanup(&imgu_pipe->imgu_sd.subdev);
> > v4l2_ctrl_handler_free(imgu_pipe->imgu_sd.subdev.ctrl_handler);
> > media_entity_cleanup(&imgu_pipe->imgu_sd.subdev.entity);
> > }
>
--
Regards,
Laurent Pinchart
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] media: staging/intel-ipu3: Finalize subdev initialization to allcoate active state
2022-09-07 12:46 ` Tomi Valkeinen
2022-09-07 13:09 ` Laurent Pinchart
@ 2022-09-07 13:18 ` Maximilian Luz
1 sibling, 0 replies; 4+ messages in thread
From: Maximilian Luz @ 2022-09-07 13:18 UTC (permalink / raw)
To: Tomi Valkeinen, Sakari Ailus
Cc: Bingbu Cao, Tianshu Qiu, Mauro Carvalho Chehab,
Greg Kroah-Hartman, Laurent Pinchart, Jacopo Mondi, Hans Verkuil,
linux-media, linux-staging, linux-kernel
Hi,
On 9/7/22 14:46, Tomi Valkeinen wrote:
> Hi Maximilian,
>
> On 07/09/2022 15:33, Maximilian Luz wrote:
>> Commit f69952a4dc1e ("media: subdev: add active state to struct
>> v4l2_subdev") introduced the active_state member to struct v4l2_subdev.
>> This state needs to be allocated via v4l2_subdev_init_finalize(). The
>> intel-ipu3 driver unfortunately does not do that, due to which,
>
> That is fine, a driver only needs to allocate the active state if it uses
> the active state.
>
>> active_state is NULL and we run into an oops (NULL pointer dereference)
>> when that state is accessed.
>>
>> In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381
>> ("media: subdev: pass also the active state to subdevs from ioctls")
>> passes that state on to the subdev IOCTLs. An example scenario where
>> this happens is running libcamera's qcam or cam on a device with IPU3,
>> for example the Microsoft Surface Book 2. In this case, the oops is
>> reproducibly in v4l2_subdev_get_try_crop(), called via
>> imgu_subdev_set_selection().
>>
>> To fix this, allocate the active_state member via
>> v4l2_subdev_init_finalize().
>
> This is not a correct fix. Sakari has sent (and maybe pushed?) this:
>
> https://lore.kernel.org/all/20220825190351.3241444-1-sakari.ailus@linux.intel.com/
Thanks! Unfortunately that doesn't fix the issue completely: That patch
addresses imgu_subdev_get_selection() but imgu_subdev_set_selection()
still runs into the oops.
I assume a similar fix to the one you linked is needed? I'll give that a
try.
Regards,
Max
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-09-07 13:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-07 12:33 [PATCH] media: staging/intel-ipu3: Finalize subdev initialization to allcoate active state Maximilian Luz
2022-09-07 12:46 ` Tomi Valkeinen
2022-09-07 13:09 ` Laurent Pinchart
2022-09-07 13:18 ` Maximilian Luz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).