Message ID | 20231130173232.130731-1-biju.das.jz@bp.renesas.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | media: v4l: async: Fix double pointer free on v4l2_async_unregister_subdev() | expand |
Hi All, Gentle ping. Are we happy with this fix? Please let me know. This issue is reproducible on RZ/G2L SMARC EVK. Cheers, Biju > -----Original Message----- > From: Biju Das <biju.das.jz@bp.renesas.com> > Sent: Thursday, November 30, 2023 5:33 PM > Subject: [PATCH] media: v4l: async: Fix double pointer free on > v4l2_async_unregister_subdev() > > The v4l2_async_unbind_subdev_one() deallocates the pointer &asc- > >asc_subdev_entry. The same pointer is again used to deallocate in > list_del() leading to the below kernel crash. > > Unable to handle kernel paging request at virtual address dead000000000108 > v4l2_async_unregister_subdev+0xf8/0x164 > rzg2l_csi2_remove+0x30/0x5c > platform_remove+0x28/0x64 > device_remove+0x48/0x74 > device_release_driver_internal+0x1d8/0x234 > device_driver_detach+0x14/0x1c > unbind_store+0xac/0xb0 > > Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections > between entities") > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> > --- > drivers/media/v4l2-core/v4l2-async.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2- > core/v4l2-async.c > index 091e8cf4114b..8cfd593d293d 100644 > --- a/drivers/media/v4l2-core/v4l2-async.c > +++ b/drivers/media/v4l2-core/v4l2-async.c > @@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct v4l2_subdev > *sd) > &asc->notifier->waiting_list); > > v4l2_async_unbind_subdev_one(asc->notifier, asc); > - list_del(&asc->asc_subdev_entry); > } > } > > -- > 2.25.1
Hi All, Gentle ping. Are we happy with this fix? Please let me know. Cheers, Biju > -----Original Message----- > From: Biju Das <biju.das.jz@bp.renesas.com> > Sent: Monday, December 11, 2023 5:10 PM > Subject: RE: [PATCH] media: v4l: async: Fix double pointer free on > v4l2_async_unregister_subdev() > > Hi All, > > Gentle ping. Are we happy with this fix? Please let me know. > > This issue is reproducible on RZ/G2L SMARC EVK. > > Cheers, > Biju > > > -----Original Message----- > > From: Biju Das <biju.das.jz@bp.renesas.com> > > Sent: Thursday, November 30, 2023 5:33 PM > > Subject: [PATCH] media: v4l: async: Fix double pointer free on > > v4l2_async_unregister_subdev() > > > > The v4l2_async_unbind_subdev_one() deallocates the pointer &asc- > > >asc_subdev_entry. The same pointer is again used to deallocate in > > list_del() leading to the below kernel crash. > > > > Unable to handle kernel paging request at virtual address > > dead000000000108 > > v4l2_async_unregister_subdev+0xf8/0x164 > > rzg2l_csi2_remove+0x30/0x5c > > platform_remove+0x28/0x64 > > device_remove+0x48/0x74 > > device_release_driver_internal+0x1d8/0x234 > > device_driver_detach+0x14/0x1c > > unbind_store+0xac/0xb0 > > > > Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections > > between entities") > > Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> > > --- > > drivers/media/v4l2-core/v4l2-async.c | 1 - > > 1 file changed, 1 deletion(-) > > > > diff --git a/drivers/media/v4l2-core/v4l2-async.c > > b/drivers/media/v4l2- core/v4l2-async.c index > > 091e8cf4114b..8cfd593d293d 100644 > > --- a/drivers/media/v4l2-core/v4l2-async.c > > +++ b/drivers/media/v4l2-core/v4l2-async.c > > @@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct > > v4l2_subdev > > *sd) > > &asc->notifier->waiting_list); > > > > v4l2_async_unbind_subdev_one(asc->notifier, asc); > > - list_del(&asc->asc_subdev_entry); > > } > > } > > > > -- > > 2.25.1
Hi Biju, On Thu, Jan 04, 2024 at 11:05:46AM +0000, Biju Das wrote: > Hi All, > > Gentle ping. Are we happy with this fix? Please let me know. Thanks for the patch. The issue has been fixed by Sebastian's patch (commit 3de6ee94aae701fa949cd3b5df6b6a440ddfb8f2 in media tree master).
Hi Sakari Ailus, Thanks for the feedback. > -----Original Message----- > From: Sakari Ailus <sakari.ailus@linux.intel.com> > Sent: Friday, January 5, 2024 8:30 AM > Subject: Re: [PATCH] media: v4l: async: Fix double pointer free on > v4l2_async_unregister_subdev() > > Hi Biju, > > On Thu, Jan 04, 2024 at 11:05:46AM +0000, Biju Das wrote: > > Hi All, > > > > Gentle ping. Are we happy with this fix? Please let me know. > > Thanks for the patch. > > The issue has been fixed by Sebastian's patch (commit > 3de6ee94aae701fa949cd3b5df6b6a440ddfb8f2 in media tree master). OK, I will drop this patch. I got new info using CONFIG_DEBUG_LIST for list_del corruption issues. For me, the issue hits with unbinding the driver. Cheers, Biju
diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c index 091e8cf4114b..8cfd593d293d 100644 --- a/drivers/media/v4l2-core/v4l2-async.c +++ b/drivers/media/v4l2-core/v4l2-async.c @@ -880,7 +880,6 @@ void v4l2_async_unregister_subdev(struct v4l2_subdev *sd) &asc->notifier->waiting_list); v4l2_async_unbind_subdev_one(asc->notifier, asc); - list_del(&asc->asc_subdev_entry); } }
The v4l2_async_unbind_subdev_one() deallocates the pointer &asc->asc_subdev_entry. The same pointer is again used to deallocate in list_del() leading to the below kernel crash. Unable to handle kernel paging request at virtual address dead000000000108 v4l2_async_unregister_subdev+0xf8/0x164 rzg2l_csi2_remove+0x30/0x5c platform_remove+0x28/0x64 device_remove+0x48/0x74 device_release_driver_internal+0x1d8/0x234 device_driver_detach+0x14/0x1c unbind_store+0xac/0xb0 Fixes: 28a1295795d8 ("media: v4l: async: Allow multiple connections between entities") Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> --- drivers/media/v4l2-core/v4l2-async.c | 1 - 1 file changed, 1 deletion(-)