From: sashiko-bot@kernel.org
To: "Valery Borovsky" <vebohr@gmail.com>
Cc: linux-sunxi@lists.linux.dev
Subject: Re: [PATCH 3/6] media: pwc: Return queued buffers on start_streaming() failure
Date: Tue, 12 May 2026 23:37:05 +0000 [thread overview]
Message-ID: <20260512233705.689B1C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <d0fdfb94b56871e757812bfb7aa58e83f7215903.1778518085.git.vebohr@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Incomplete Buffer Cleanup on Error in `start_streaming()` causing a buffer leak
--
commit 39f02233e64ac5cb48aca4fd3aaf5db7ee99320b
Author: Valery Borovsky <vebohr@gmail.com>
Subject: media: pwc: Return queued buffers on start_streaming() failure
This commit addresses leaked buffers during start_streaming() failures
by ensuring queued buffers are returned to videobuf2 before returning an
error on the early exit paths.
Cc: stable@vger.kernel.org
> diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c
> --- a/drivers/media/usb/pwc/pwc-if.c
> +++ b/drivers/media/usb/pwc/pwc-if.c
> @@ -710,11 +710,15 @@ static int start_streaming(struct vb2_queue *vq, unsigned int count)
> struct pwc_device *pdev = vb2_get_drv_priv(vq);
> int r;
>
> - if (!pdev->udev)
> + if (!pdev->udev) {
> + pwc_cleanup_queued_bufs(pdev, VB2_BUF_STATE_QUEUED);
Does this cleanup catch buffers that might have been moved to pdev->fill_buf?
While this isn't a new regression introduced by this specific patch, it
looks like a buffer leak could still happen if pwc_isoc_init() fails later
in this function.
During pwc_isoc_init(), usb_submit_urb() is called with GFP_KERNEL and
can sleep. If a previously submitted URB completes successfully before the
loop finishes, its completion handler pwc_isoc_handler() can execute and
move a buffer from pdev->queued_bufs into pdev->fill_buf.
If a subsequent usb_submit_urb() fails, pwc_isoc_init() aborts and kills
the URBs. The error path in start_streaming() then executes
pwc_cleanup_queued_bufs(). Since pdev->fill_buf is no longer in the list,
it would be ignored by the cleanup routine and leaked, triggering the
same WARN_ON(owned_by_drv_count) trap.
Should pdev->fill_buf be explicitly checked and returned to videobuf2 on
failure, similar to how it is handled in stop_streaming()?
> return -ENODEV;
> + }
--
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1778518085.git.vebohr@gmail.com?part=3
next prev parent reply other threads:[~2026-05-12 23:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 17:12 [PATCH 0/6] media: vb2: Return queued buffers from start_streaming() on error Valery Borovsky
2026-05-11 17:12 ` [PATCH 1/6] media: airspy: Return queued buffers on start_streaming() failure Valery Borovsky
2026-05-12 22:17 ` sashiko-bot
2026-05-11 17:12 ` [PATCH 2/6] media: msi2500: " Valery Borovsky
2026-05-11 17:12 ` [PATCH 3/6] media: pwc: " Valery Borovsky
2026-05-12 23:37 ` sashiko-bot [this message]
2026-05-11 17:12 ` [PATCH 4/6] media: rtl2832_sdr: " Valery Borovsky
2026-05-13 0:10 ` sashiko-bot
2026-05-11 17:12 ` [PATCH 5/6] media: stm32-dcmipp: " Valery Borovsky
2026-05-11 17:12 ` [PATCH 6/6] media: sun4i-csi: " Valery Borovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512233705.689B1C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vebohr@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.