media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev()

Message ID 20231130173232.130731-1-biju.das.jz@bp.renesas.com (mailing list archive)
State Not Applicable
Delegated to: Sakari Ailus
Headers
Series media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev() |

Commit Message

Biju Das Nov. 30, 2023, 5:32 p.m. UTC
  The v4l2_async_unbind_subdev_one() deallocates the pointer
&asc->asc_subdev_entry. The same pointer is again used to
deallocate in list_del() leading to the below kernel crash.

Unable to handle kernel paging request at virtual address dead000000000108
v4l2_async_unregister_subdev+0xf8/0x164
rzg2l_csi2_remove+0x30/0x5c
platform_remove+0x28/0x64
device_remove+0x48/0x74
device_release_driver_internal+0x1d8/0x234
device_driver_detach+0x14/0x1c
unbind_store+0xac/0xb0

Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections between entities")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
---
 drivers/media/v4l2-core/v4l2-async.c | 1 -
 1 file changed, 1 deletion(-)
  

Comments

Biju Das Dec. 11, 2023, 5:10 p.m. UTC | #1
Hi All,

Gentle ping. Are we happy with this fix? Please let me know.

This issue is reproducible on RZ/G2L SMARC EVK.

Cheers,
Biju

> -----Original Message-----
> From: Biju Das <biju.das.jz@bp.renesas.com>
> Sent: Thursday, November 30, 2023 5:33 PM
> Subject: [PATCH] media: v4l: async: Fix double pointer free on
> v4l2_async_unregister_subdev()
> 
> The v4l2_async_unbind_subdev_one() deallocates the pointer &asc-
> >asc_subdev_entry. The same pointer is again used to deallocate in
> list_del() leading to the below kernel crash.
> 
> Unable to handle kernel paging request at virtual address dead000000000108
> v4l2_async_unregister_subdev+0xf8/0x164
> rzg2l_csi2_remove+0x30/0x5c
> platform_remove+0x28/0x64
> device_remove+0x48/0x74
> device_release_driver_internal+0x1d8/0x234
> device_driver_detach+0x14/0x1c
> unbind_store+0xac/0xb0
> 
> Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections
> between entities")
> Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
> ---
>  drivers/media/v4l2-core/v4l2-async.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-
> core/v4l2-async.c
> index 091e8cf4114b..8cfd593d293d 100644
> --- a/drivers/media/v4l2-core/v4l2-async.c
> +++ b/drivers/media/v4l2-core/v4l2-async.c
> @@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct v4l2_subdev
> *sd)
>  				  &asc->notifier->waiting_list);
> 
>  			v4l2_async_unbind_subdev_one(asc->notifier, asc);
> -			list_del(&asc->asc_subdev_entry);
>  		}
>  	}
> 
> --
> 2.25.1
  
Biju Das Jan. 4, 2024, 11:05 a.m. UTC | #2
Hi All, 

Gentle ping. Are we happy with this fix? Please let me know.

Cheers,
Biju


> -----Original Message-----
> From: Biju Das <biju.das.jz@bp.renesas.com>
> Sent: Monday, December 11, 2023 5:10 PM
> Subject: RE: [PATCH] media: v4l: async: Fix double pointer free on
> v4l2_async_unregister_subdev()
> 
> Hi All,
> 
> Gentle ping. Are we happy with this fix? Please let me know.
> 
> This issue is reproducible on RZ/G2L SMARC EVK.
> 
> Cheers,
> Biju
> 
> > -----Original Message-----
> > From: Biju Das <biju.das.jz@bp.renesas.com>
> > Sent: Thursday, November 30, 2023 5:33 PM
> > Subject: [PATCH] media: v4l: async: Fix double pointer free on
> > v4l2_async_unregister_subdev()
> >
> > The v4l2_async_unbind_subdev_one() deallocates the pointer &asc-
> > >asc_subdev_entry. The same pointer is again used to deallocate in
> > list_del() leading to the below kernel crash.
> >
> > Unable to handle kernel paging request at virtual address
> > dead000000000108
> > v4l2_async_unregister_subdev+0xf8/0x164
> > rzg2l_csi2_remove+0x30/0x5c
> > platform_remove+0x28/0x64
> > device_remove+0x48/0x74
> > device_release_driver_internal+0x1d8/0x234
> > device_driver_detach+0x14/0x1c
> > unbind_store+0xac/0xb0
> >
> > Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections
> > between entities")
> > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
> > ---
> >  drivers/media/v4l2-core/v4l2-async.c | 1 -
> >  1 file changed, 1 deletion(-)
> >
> > diff --git a/drivers/media/v4l2-core/v4l2-async.c
> > b/drivers/media/v4l2- core/v4l2-async.c index
> > 091e8cf4114b..8cfd593d293d 100644
> > --- a/drivers/media/v4l2-core/v4l2-async.c
> > +++ b/drivers/media/v4l2-core/v4l2-async.c
> > @@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct
> > v4l2_subdev
> > *sd)
> >  				  &asc->notifier->waiting_list);
> >
> >  			v4l2_async_unbind_subdev_one(asc->notifier, asc);
> > -			list_del(&asc->asc_subdev_entry);
> >  		}
> >  	}
> >
> > --
> > 2.25.1
  
Sakari Ailus Jan. 5, 2024, 8:30 a.m. UTC | #3
Hi Biju,

On Thu, Jan 04, 2024 at 11:05:46AM +0000, Biju Das wrote:
> Hi All, 
> 
> Gentle ping. Are we happy with this fix? Please let me know.

Thanks for the patch.

The issue has been fixed by Sebastian's patch (commit
3de6ee94aae701fa949cd3b5df6b6a440ddfb8f2 in media tree master).
  
Biju Das Jan. 5, 2024, 9:03 a.m. UTC | #4
Hi Sakari Ailus,

Thanks for the feedback.

> -----Original Message-----
> From: Sakari Ailus <sakari.ailus@linux.intel.com>
> Sent: Friday, January 5, 2024 8:30 AM
> Subject: Re: [PATCH] media: v4l: async: Fix double pointer free on
> v4l2_async_unregister_subdev()
> 
> Hi Biju,
> 
> On Thu, Jan 04, 2024 at 11:05:46AM +0000, Biju Das wrote:
> > Hi All,
> >
> > Gentle ping. Are we happy with this fix? Please let me know.
> 
> Thanks for the patch.
> 
> The issue has been fixed by Sebastian's patch (commit
> 3de6ee94aae701fa949cd3b5df6b6a440ddfb8f2 in media tree master).

OK, I will drop this patch.

I got new info using CONFIG_DEBUG_LIST for list_del corruption issues.
For me, the issue hits with unbinding the driver.

Cheers,
Biju
  

Patch

diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c
index 091e8cf4114b..8cfd593d293d 100644
--- a/drivers/media/v4l2-core/v4l2-async.c
+++ b/drivers/media/v4l2-core/v4l2-async.c
@@ -880,7 +880,6 @@  void v4l2_async_unregister_subdev(struct v4l2_subdev *sd)
 				  &asc->notifier->waiting_list);
 
 			v4l2_async_unbind_subdev_one(asc->notifier, asc);
-			list_del(&asc->asc_subdev_entry);
 		}
 	}