| Message ID | 20231130173232.130731-1-biju.das.jz@bp.renesas.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Sakari Ailus |
| Headers |
Received: from sv.mirrors.kernel.org ([139.178.88.99]) by www.linuxtv.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <linux-media+bounces-1426-patchwork=linuxtv.org@vger.kernel.org>) id 1r8kuF-005jBW-LG for patchwork@linuxtv.org; Thu, 30 Nov 2023 17:32:56 +0000 Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 71B69281786 for <patchwork@linuxtv.org>; Thu, 30 Nov 2023 17:32:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3A0705677B; Thu, 30 Nov 2023 17:32:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=none X-Original-To: linux-media@vger.kernel.org Received: from relmlie6.idc.renesas.com (relmlor2.renesas.com [210.160.252.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 945DA1700; Thu, 30 Nov 2023 09:32:41 -0800 (PST) X-IronPort-AV: E=Sophos;i="6.04,239,1695654000"; d="scan'208";a="188746418" Received: from unknown (HELO relmlir6.idc.renesas.com) ([10.200.68.152]) by relmlie6.idc.renesas.com with ESMTP; 01 Dec 2023 02:32:40 +0900 Received: from localhost.localdomain (unknown [10.226.92.210]) by relmlir6.idc.renesas.com (Postfix) with ESMTP id C734A401786F; Fri, 1 Dec 2023 02:32:37 +0900 (JST) From: Biju Das <biju.das.jz@bp.renesas.com> To: Sakari Ailus <sakari.ailus@linux.intel.com>, Mauro Carvalho Chehab <mchehab@kernel.org> Cc: Biju Das <biju.das.jz@bp.renesas.com>, linux-media@vger.kernel.org, Geert Uytterhoeven <geert+renesas@glider.be>, Prabhakar Mahadev Lad <prabhakar.mahadev-lad.rj@bp.renesas.com>, Biju Das <biju.das.au@gmail.com>, linux-renesas-soc@vger.kernel.org Subject: [PATCH] media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev() Date: Thu, 30 Nov 2023 17:32:32 +0000 Message-Id: <20231130173232.130731-1-biju.das.jz@bp.renesas.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-media@vger.kernel.org List-Id: <linux-media.vger.kernel.org> List-Subscribe: <mailto:linux-media+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-media+unsubscribe@vger.kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-LSpam-Score: -4.7 (----) X-LSpam-Report: No, score=-4.7 required=5.0 tests=BAYES_00=-1.9,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3 autolearn=ham autolearn_force=no |
| Series |
media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev()
|
|
Commit Message
Biju Das
Nov. 30, 2023, 5:32 p.m. UTC
The v4l2_async_unbind_subdev_one() deallocates the pointer
&asc->asc_subdev_entry. The same pointer is again used to
deallocate in list_del() leading to the below kernel crash.
Unable to handle kernel paging request at virtual address dead000000000108
v4l2_async_unregister_subdev+0xf8/0x164
rzg2l_csi2_remove+0x30/0x5c
platform_remove+0x28/0x64
device_remove+0x48/0x74
device_release_driver_internal+0x1d8/0x234
device_driver_detach+0x14/0x1c
unbind_store+0xac/0xb0
Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections between entities")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
---
drivers/media/v4l2-core/v4l2-async.c | 1 -
1 file changed, 1 deletion(-)
Comments
Hi All, Gentle ping. Are we happy with this fix? Please let me know. This issue is reproducible on RZ/G2L SMARC EVK. Cheers, Biju > -----Original Message----- > From: Biju Das <biju.das.jz@bp.renesas.com> > Sent: Thursday, November 30, 2023 5:33 PM > Subject: [PATCH] media: v4l: async: Fix double pointer free on > v4l2_async_unregister_subdev() > > The v4l2_async_unbind_subdev_one() deallocates the pointer &asc- > >asc_subdev_entry. The same pointer is again used to deallocate in > list_del() leading to the below kernel crash. > > Unable to handle kernel paging request at virtual address dead000000000108 > v4l2_async_unregister_subdev+0xf8/0x164 > rzg2l_csi2_remove+0x30/0x5c > platform_remove+0x28/0x64 > device_remove+0x48/0x74 > device_release_driver_internal+0x1d8/0x234 > device_driver_detach+0x14/0x1c > unbind_store+0xac/0xb0 > > Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections > between entities") > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> > --- > drivers/media/v4l2-core/v4l2-async.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2- > core/v4l2-async.c > index 091e8cf4114b..8cfd593d293d 100644 > --- a/drivers/media/v4l2-core/v4l2-async.c > +++ b/drivers/media/v4l2-core/v4l2-async.c > @@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct v4l2_subdev > *sd) > &asc->notifier->waiting_list); > > v4l2_async_unbind_subdev_one(asc->notifier, asc); > - list_del(&asc->asc_subdev_entry); > } > } > > -- > 2.25.1
Hi All, Gentle ping. Are we happy with this fix? Please let me know. Cheers, Biju > -----Original Message----- > From: Biju Das <biju.das.jz@bp.renesas.com> > Sent: Monday, December 11, 2023 5:10 PM > Subject: RE: [PATCH] media: v4l: async: Fix double pointer free on > v4l2_async_unregister_subdev() > > Hi All, > > Gentle ping. Are we happy with this fix? Please let me know. > > This issue is reproducible on RZ/G2L SMARC EVK. > > Cheers, > Biju > > > -----Original Message----- > > From: Biju Das <biju.das.jz@bp.renesas.com> > > Sent: Thursday, November 30, 2023 5:33 PM > > Subject: [PATCH] media: v4l: async: Fix double pointer free on > > v4l2_async_unregister_subdev() > > > > The v4l2_async_unbind_subdev_one() deallocates the pointer &asc- > > >asc_subdev_entry. The same pointer is again used to deallocate in > > list_del() leading to the below kernel crash. > > > > Unable to handle kernel paging request at virtual address > > dead000000000108 > > v4l2_async_unregister_subdev+0xf8/0x164 > > rzg2l_csi2_remove+0x30/0x5c > > platform_remove+0x28/0x64 > > device_remove+0x48/0x74 > > device_release_driver_internal+0x1d8/0x234 > > device_driver_detach+0x14/0x1c > > unbind_store+0xac/0xb0 > > > > Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections > > between entities") > > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> > > --- > > drivers/media/v4l2-core/v4l2-async.c | 1 - > > 1 file changed, 1 deletion(-) > > > > diff --git a/drivers/media/v4l2-core/v4l2-async.c > > b/drivers/media/v4l2- core/v4l2-async.c index > > 091e8cf4114b..8cfd593d293d 100644 > > --- a/drivers/media/v4l2-core/v4l2-async.c > > +++ b/drivers/media/v4l2-core/v4l2-async.c > > @@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct > > v4l2_subdev > > *sd) > > &asc->notifier->waiting_list); > > > > v4l2_async_unbind_subdev_one(asc->notifier, asc); > > - list_del(&asc->asc_subdev_entry); > > } > > } > > > > -- > > 2.25.1
Hi Biju, On Thu, Jan 04, 2024 at 11:05:46AM +0000, Biju Das wrote: > Hi All, > > Gentle ping. Are we happy with this fix? Please let me know. Thanks for the patch. The issue has been fixed by Sebastian's patch (commit 3de6ee94aae701fa949cd3b5df6b6a440ddfb8f2 in media tree master).
Hi Sakari Ailus, Thanks for the feedback. > -----Original Message----- > From: Sakari Ailus <sakari.ailus@linux.intel.com> > Sent: Friday, January 5, 2024 8:30 AM > Subject: Re: [PATCH] media: v4l: async: Fix double pointer free on > v4l2_async_unregister_subdev() > > Hi Biju, > > On Thu, Jan 04, 2024 at 11:05:46AM +0000, Biju Das wrote: > > Hi All, > > > > Gentle ping. Are we happy with this fix? Please let me know. > > Thanks for the patch. > > The issue has been fixed by Sebastian's patch (commit > 3de6ee94aae701fa949cd3b5df6b6a440ddfb8f2 in media tree master). OK, I will drop this patch. I got new info using CONFIG_DEBUG_LIST for list_del corruption issues. For me, the issue hits with unbinding the driver. Cheers, Biju
diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c index 091e8cf4114b..8cfd593d293d 100644 --- a/drivers/media/v4l2-core/v4l2-async.c +++ b/drivers/media/v4l2-core/v4l2-async.c @@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct v4l2_subdev *sd) &asc->notifier->waiting_list); v4l2_async_unbind_subdev_one(asc->notifier, asc); - list_del(&asc->asc_subdev_entry); } }