| Message ID | 20220907123359.1275322-1-luzmaximilian@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | media: staging/intel-ipu3: Finalize subdev initialization to allcoate active state | expand |
Hi Maximilian, On 07/09/2022 15:33, Maximilian Luz wrote: > Commit f69952a4dc1e ("media: subdev: add active state to struct > v4l2_subdev") introduced the active_state member to struct v4l2_subdev. > This state needs to be allocated via v4l2_subdev_init_finalize(). The > intel-ipu3 driver unfortunately does not do that, due to which, That is fine, a driver only needs to allocate the active state if it uses the active state. > active_state is NULL and we run into an oops (NULL pointer dereference) > when that state is accessed. > > In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381 > ("media: subdev: pass also the active state to subdevs from ioctls") > passes that state on to the subdev IOCTLs. An example scenario where > this happens is running libcamera's qcam or cam on a device with IPU3, > for example the Microsoft Surface Book 2. In this case, the oops is > reproducibly in v4l2_subdev_get_try_crop(), called via > imgu_subdev_set_selection(). > > To fix this, allocate the active_state member via > v4l2_subdev_init_finalize(). This is not a correct fix. Sakari has sent (and maybe pushed?) this: https://lore.kernel.org/all/20220825190351.3241444-1-sakari.ailus@linux.intel.com/ Tomi > Link: https://github.com/linux-surface/linux-surface/issues/907 > Fixes: 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls") > Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com> > --- > drivers/staging/media/ipu3/ipu3-v4l2.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c > index d1c539cefba8..84ab98ba9a2e 100644 > --- a/drivers/staging/media/ipu3/ipu3-v4l2.c > +++ b/drivers/staging/media/ipu3/ipu3-v4l2.c > @@ -1093,10 +1093,18 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu, > "failed to create subdev v4l2 ctrl with err %d", r); > goto fail_subdev; > } > + > + r = v4l2_subdev_init_finalize(&imgu_sd->subdev); > + if (r) { > + dev_err(&imgu->pci_dev->dev, > + "failed to initialize subdev (%d)\n", r); > + goto fail_subdev; > + } > + > r = v4l2_device_register_subdev(&imgu->v4l2_dev, &imgu_sd->subdev); > if (r) { > dev_err(&imgu->pci_dev->dev, > - "failed initialize subdev (%d)\n", r); > + "failed to register subdev (%d)\n", r); > goto fail_subdev; > } > > @@ -1104,6 +1112,7 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu, > return 0; > > fail_subdev: > + v4l2_subdev_cleanup(&imgu_sd->subdev); > v4l2_ctrl_handler_free(imgu_sd->subdev.ctrl_handler); > media_entity_cleanup(&imgu_sd->subdev.entity); > > @@ -1275,6 +1284,7 @@ static void imgu_v4l2_subdev_cleanup(struct imgu_device *imgu, unsigned int i) > struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[i]; > > v4l2_device_unregister_subdev(&imgu_pipe->imgu_sd.subdev); > + v4l2_subdev_cleanup(&imgu_pipe->imgu_sd.subdev); > v4l2_ctrl_handler_free(imgu_pipe->imgu_sd.subdev.ctrl_handler); > media_entity_cleanup(&imgu_pipe->imgu_sd.subdev.entity); > }
On Wed, Sep 07, 2022 at 03:46:26PM +0300, Tomi Valkeinen wrote: > Hi Maximilian, > > On 07/09/2022 15:33, Maximilian Luz wrote: > > Commit f69952a4dc1e ("media: subdev: add active state to struct > > v4l2_subdev") introduced the active_state member to struct v4l2_subdev. > > This state needs to be allocated via v4l2_subdev_init_finalize(). The > > intel-ipu3 driver unfortunately does not do that, due to which, > > That is fine, a driver only needs to allocate the active state if it uses > the active state. > > > active_state is NULL and we run into an oops (NULL pointer dereference) > > when that state is accessed. > > > > In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381 > > ("media: subdev: pass also the active state to subdevs from ioctls") > > passes that state on to the subdev IOCTLs. An example scenario where > > this happens is running libcamera's qcam or cam on a device with IPU3, > > for example the Microsoft Surface Book 2. In this case, the oops is > > reproducibly in v4l2_subdev_get_try_crop(), called via > > imgu_subdev_set_selection(). > > > > To fix this, allocate the active_state member via > > v4l2_subdev_init_finalize(). > > This is not a correct fix. Sakari has sent (and maybe pushed?) this: > > https://lore.kernel.org/all/20220825190351.3241444-1-sakari.ailus@linux.intel.com/ This being said, it would be nice to convert drivers to use the active state, but that's not related to fixing this issue. > > Link: https://github.com/linux-surface/linux-surface/issues/907 > > Fixes: 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls") > > Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com> > > --- > > drivers/staging/media/ipu3/ipu3-v4l2.c | 12 +++++++++++- > > 1 file changed, 11 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c > > index d1c539cefba8..84ab98ba9a2e 100644 > > --- a/drivers/staging/media/ipu3/ipu3-v4l2.c > > +++ b/drivers/staging/media/ipu3/ipu3-v4l2.c > > @@ -1093,10 +1093,18 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu, > > "failed to create subdev v4l2 ctrl with err %d", r); > > goto fail_subdev; > > } > > + > > + r = v4l2_subdev_init_finalize(&imgu_sd->subdev); > > + if (r) { > > + dev_err(&imgu->pci_dev->dev, > > + "failed to initialize subdev (%d)\n", r); > > + goto fail_subdev; > > + } > > + > > r = v4l2_device_register_subdev(&imgu->v4l2_dev, &imgu_sd->subdev); > > if (r) { > > dev_err(&imgu->pci_dev->dev, > > - "failed initialize subdev (%d)\n", r); > > + "failed to register subdev (%d)\n", r); > > goto fail_subdev; > > } > > > > @@ -1104,6 +1112,7 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu, > > return 0; > > > > fail_subdev: > > + v4l2_subdev_cleanup(&imgu_sd->subdev); > > v4l2_ctrl_handler_free(imgu_sd->subdev.ctrl_handler); > > media_entity_cleanup(&imgu_sd->subdev.entity); > > > > @@ -1275,6 +1284,7 @@ static void imgu_v4l2_subdev_cleanup(struct imgu_device *imgu, unsigned int i) > > struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[i]; > > > > v4l2_device_unregister_subdev(&imgu_pipe->imgu_sd.subdev); > > + v4l2_subdev_cleanup(&imgu_pipe->imgu_sd.subdev); > > v4l2_ctrl_handler_free(imgu_pipe->imgu_sd.subdev.ctrl_handler); > > media_entity_cleanup(&imgu_pipe->imgu_sd.subdev.entity); > > } >
Hi, On 9/7/22 14:46, Tomi Valkeinen wrote: > Hi Maximilian, > > On 07/09/2022 15:33, Maximilian Luz wrote: >> Commit f69952a4dc1e ("media: subdev: add active state to struct >> v4l2_subdev") introduced the active_state member to struct v4l2_subdev. >> This state needs to be allocated via v4l2_subdev_init_finalize(). The >> intel-ipu3 driver unfortunately does not do that, due to which, > > That is fine, a driver only needs to allocate the active state if it uses > the active state. > >> active_state is NULL and we run into an oops (NULL pointer dereference) >> when that state is accessed. >> >> In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381 >> ("media: subdev: pass also the active state to subdevs from ioctls") >> passes that state on to the subdev IOCTLs. An example scenario where >> this happens is running libcamera's qcam or cam on a device with IPU3, >> for example the Microsoft Surface Book 2. In this case, the oops is >> reproducibly in v4l2_subdev_get_try_crop(), called via >> imgu_subdev_set_selection(). >> >> To fix this, allocate the active_state member via >> v4l2_subdev_init_finalize(). > > This is not a correct fix. Sakari has sent (and maybe pushed?) this: > > https://lore.kernel.org/all/20220825190351.3241444-1-sakari.ailus@linux.intel.com/ Thanks! Unfortunately that doesn't fix the issue completely: That patch addresses imgu_subdev_get_selection() but imgu_subdev_set_selection() still runs into the oops. I assume a similar fix to the one you linked is needed? I'll give that a try. Regards, Max
diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c index d1c539cefba8..84ab98ba9a2e 100644 --- a/drivers/staging/media/ipu3/ipu3-v4l2.c +++ b/drivers/staging/media/ipu3/ipu3-v4l2.c @@ -1093,10 +1093,18 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu, "failed to create subdev v4l2 ctrl with err %d", r); goto fail_subdev; } + + r = v4l2_subdev_init_finalize(&imgu_sd->subdev); + if (r) { + dev_err(&imgu->pci_dev->dev, + "failed to initialize subdev (%d)\n", r); + goto fail_subdev; + } + r = v4l2_device_register_subdev(&imgu->v4l2_dev, &imgu_sd->subdev); if (r) { dev_err(&imgu->pci_dev->dev, - "failed initialize subdev (%d)\n", r); + "failed to register subdev (%d)\n", r); goto fail_subdev; } @@ -1104,6 +1112,7 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu, return 0; fail_subdev: + v4l2_subdev_cleanup(&imgu_sd->subdev); v4l2_ctrl_handler_free(imgu_sd->subdev.ctrl_handler); media_entity_cleanup(&imgu_sd->subdev.entity); @@ -1275,6 +1284,7 @@ static void imgu_v4l2_subdev_cleanup(struct imgu_device *imgu, unsigned int i) struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[i]; v4l2_device_unregister_subdev(&imgu_pipe->imgu_sd.subdev); + v4l2_subdev_cleanup(&imgu_pipe->imgu_sd.subdev); v4l2_ctrl_handler_free(imgu_pipe->imgu_sd.subdev.ctrl_handler); media_entity_cleanup(&imgu_pipe->imgu_sd.subdev.entity); }
Commit f69952a4dc1e ("media: subdev: add active state to struct v4l2_subdev") introduced the active_state member to struct v4l2_subdev. This state needs to be allocated via v4l2_subdev_init_finalize(). The intel-ipu3 driver unfortunately does not do that, due to which, active_state is NULL and we run into an oops (NULL pointer dereference) when that state is accessed. In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls") passes that state on to the subdev IOCTLs. An example scenario where this happens is running libcamera's qcam or cam on a device with IPU3, for example the Microsoft Surface Book 2. In this case, the oops is reproducibly in v4l2_subdev_get_try_crop(), called via imgu_subdev_set_selection(). To fix this, allocate the active_state member via v4l2_subdev_init_finalize(). Link: https://github.com/linux-surface/linux-surface/issues/907 Fixes: 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls") Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com> --- drivers/staging/media/ipu3/ipu3-v4l2.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)