From: Sultan Alsawaf <sultan@kerneltoast.com>
To: Bin Du <Bin.Du@amd.com>
Cc: mchehab@kernel.org, hverkuil@xs4all.nl,
laurent.pinchart+renesas@ideasonboard.com,
bryan.odonoghue@linaro.org, sakari.ailus@linux.intel.com,
prabhakar.mahadev-lad.rj@bp.renesas.com,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
pratap.nirujogi@amd.com, benjamin.chan@amd.com, king.li@amd.com,
gjorgji.rosikopulos@amd.com, Phil.Jawich@amd.com,
Dominic.Antony@amd.com, Svetoslav.Stoilov@amd.com
Subject: Re: [PATCH v2 6/8] media: platform: amd: isp4 video node and buffers handling added
Date: Mon, 28 Jul 2025 00:04:37 -0700 [thread overview]
Message-ID: <aIchBRdmy48BHl2k@sultan-box> (raw)
In-Reply-To: <20250618091959.68293-7-Bin.Du@amd.com>
I found more refcounting issues in addition to the ones from my other emails
while trying to make my webcam work:
On Wed, Jun 18, 2025 at 05:19:57PM +0800, Bin Du wrote:
> +static int isp4vid_vb2_mmap(void *buf_priv, struct vm_area_struct *vma)
> +{
> + struct isp4vid_vb2_buf *buf = buf_priv;
> + int ret;
> +
> + if (!buf) {
> + pr_err("fail no memory to map\n");
> + return -EINVAL;
> + }
> +
> + ret = remap_vmalloc_range(vma, buf->vaddr, 0);
> + if (ret) {
> + dev_err(buf->dev, "fail remap vmalloc mem, %d\n", ret);
> + return ret;
> + }
> +
> + /*
> + * Make sure that vm_areas for 2 buffers won't be merged together
> + */
> + vm_flags_set(vma, VM_DONTEXPAND);
> +
> + dev_dbg(buf->dev, "mmap isp user bo 0x%llx size %ld refcount %d\n",
> + buf->gpu_addr, buf->size, buf->refcount.refs.counter);
Use refcount_read() instead of reading the refcount's atomic_t counter directly.
This is done in 3 other places; change those to refcount_read() as well.
This didn't cause any functional problems, but it should still be fixed.
> +
> + return 0;
> +}
[snip]
> +static void isp4vid_vb2_detach_dmabuf(void *mem_priv)
> +{
> + struct isp4vid_vb2_buf *buf = mem_priv;
> +
> + if (!buf) {
> + pr_err("fail invalid buf handle\n");
> + return;
> + }
> +
> + struct iosys_map map = IOSYS_MAP_INIT_VADDR(buf->vaddr);
> +
> + dev_dbg(buf->dev, "detach dmabuf of isp user bo 0x%llx size %ld",
> + buf->gpu_addr, buf->size);
> +
> + if (buf->vaddr)
> + dma_buf_vunmap_unlocked(buf->dbuf, &map);
> +
> + // put dmabuf for exported ones
> + dma_buf_put(buf->dbuf);
> +
> + kfree(buf);
> +}
As mentioned in the other email, the dma_buf_put() here needs to be removed. But
that's not all: the dma_buf_vunmap_unlocked() needs to be removed too because
vb2 will always unmap the buffer before detaching it. As a result, having the
dma_buf_vunmap_unlocked() call here results in a use-after-free when vb2 calls
the unmap_dmabuf memop.
Change this function to the following:
static void isp4vid_vb2_detach_dmabuf(void *mem_priv)
{
struct isp4vid_vb2_buf *buf = mem_priv;
kfree(buf);
}
> +static void isp4vid_qops_buffer_cleanup(struct vb2_buffer *vb)
> +{
> + struct isp4vid_dev *isp_vdev = vb2_get_drv_priv(vb->vb2_queue);
> + struct isp4vid_vb2_buf *buf = vb->planes[0].mem_priv;
> +
> + dev_dbg(isp_vdev->dev, "%s|index=%u vb->memory %u",
> + isp_vdev->vdev.name, vb->index, vb->memory);
> +
> + if (!buf) {
> + dev_err(isp_vdev->dev, "Invalid buf handle");
> + return;
> + }
> +
> + // release implicit dmabuf reference here for vb2 buffer
> + // of type MMAP and is exported
> + if (vb->memory == VB2_MEMORY_MMAP && buf->is_expbuf) {
> + dma_buf_put(buf->dbuf);
> + dev_dbg(isp_vdev->dev,
> + "put dmabuf for vb->memory %d expbuf %d",
> + vb->memory,
> + buf->is_expbuf);
> + }
> +}
> +
Remove the isp4vid_qops_buffer_cleanup() function. It causes a use-after-free by
doing an extra dma_buf_put(). This function isn't needed now that the refcount
issues are solved.
[snip]
> +static const struct vb2_ops isp4vid_qops = {
> + .queue_setup = isp4vid_qops_queue_setup,
> + .buf_cleanup = isp4vid_qops_buffer_cleanup,
Remove the .buf_cleanup hook too.
> + .buf_queue = isp4vid_qops_buffer_queue,
> + .start_streaming = isp4vid_qops_start_streaming,
> + .stop_streaming = isp4vid_qops_stop_streaming,
> + .wait_prepare = vb2_ops_wait_prepare,
> + .wait_finish = vb2_ops_wait_finish,
> +};
[snip]
Along with the changes from my other emails, I believe this finally fixes all of
the refcounting issues. No more UaF or leaks here. :-)
Sultan
next prev parent reply other threads:[~2025-07-28 7:04 UTC|newest]
Thread overview: 98+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-18 9:19 [PATCH v2 0/8] Add AMD ISP4 driver Bin Du
2025-06-18 9:19 ` [PATCH v2 1/8] media: platform: amd: Introduce amd isp4 capture driver Bin Du
2025-06-18 15:58 ` Mario Limonciello
2025-06-19 7:46 ` Du, Bin
2025-06-19 13:00 ` Mario Limonciello
2025-06-20 3:08 ` Du, Bin
2025-07-28 5:54 ` Sakari Ailus
2025-07-28 9:00 ` Du, Bin
2025-06-18 9:19 ` [PATCH v2 2/8] media: platform: amd: low level support for isp4 firmware Bin Du
2025-06-18 16:00 ` Mario Limonciello
2025-06-19 7:53 ` Du, Bin
2025-07-28 5:57 ` Sakari Ailus
2025-07-28 9:24 ` Du, Bin
2025-06-18 9:19 ` [PATCH v2 3/8] media: platform: amd: Add helpers to configure isp4 mipi phy Bin Du
2025-07-28 6:33 ` Sakari Ailus
2025-08-05 9:53 ` Du, Bin
2025-08-05 10:53 ` Laurent Pinchart
2025-08-06 9:56 ` Du, Bin
2025-08-05 10:39 ` Laurent Pinchart
2025-08-06 9:45 ` Du, Bin
2025-07-28 7:28 ` Sakari Ailus
2025-07-31 9:31 ` Du, Bin
2025-06-18 9:19 ` [PATCH v2 4/8] media: platform: amd: Add isp4 fw and hw interface Bin Du
2025-06-18 16:17 ` Mario Limonciello
2025-06-19 9:58 ` Du, Bin
2025-06-19 15:11 ` Mario Limonciello
2025-06-20 3:32 ` Du, Bin
2025-07-28 7:23 ` Sakari Ailus
2025-07-29 9:12 ` Du, Bin
2025-08-11 11:46 ` Sakari Ailus
2025-08-11 12:31 ` Laurent Pinchart
2025-08-12 3:36 ` Du, Bin
2025-08-12 7:34 ` Laurent Pinchart
2025-08-12 8:08 ` Du, Bin
2025-08-12 8:20 ` Sakari Ailus
2025-08-12 10:04 ` Du, Bin
2025-08-12 2:44 ` Du, Bin
2025-06-18 9:19 ` [PATCH v2 5/8] media: platform: amd: isp4 subdev and firmware loading handling added Bin Du
2025-06-18 16:35 ` Mario Limonciello
2025-06-20 9:31 ` Du, Bin
2025-07-06 20:55 ` Mario Limonciello
2025-07-07 6:22 ` Du, Bin
2025-07-25 1:35 ` Sultan Alsawaf
2025-07-25 9:03 ` Du, Bin
2025-06-18 9:19 ` [PATCH v2 6/8] media: platform: amd: isp4 video node and buffers " Bin Du
2025-07-23 17:55 ` Sultan Alsawaf
2025-07-24 5:14 ` Sultan Alsawaf
2025-07-25 9:05 ` Du, Bin
2025-07-25 9:22 ` Du, Bin
2025-07-26 21:41 ` Sultan Alsawaf
2025-07-26 21:50 ` Sultan Alsawaf
2025-07-29 6:12 ` Du, Bin
2025-07-29 6:08 ` Du, Bin
2025-07-28 7:04 ` Sultan Alsawaf [this message]
2025-07-29 7:43 ` Du, Bin
2025-07-31 0:34 ` Sultan Alsawaf
2025-07-31 9:45 ` Du, Bin
2025-08-11 6:02 ` Sultan Alsawaf
2025-08-11 9:05 ` Du, Bin
2025-08-12 5:51 ` Sultan Alsawaf
2025-08-12 6:33 ` Du, Bin
2025-08-13 9:42 ` Du, Bin
2025-08-14 6:37 ` Sultan Alsawaf
2025-06-18 9:19 ` [PATCH v2 7/8] media: platform: amd: isp4 debug fs logging and more descriptive errors Bin Du
2025-06-18 9:19 ` [PATCH v2 8/8] Documentation: add documentation of AMD isp 4 driver Bin Du
2025-08-05 11:37 ` Laurent Pinchart
2025-08-12 1:36 ` Du, Bin
2025-08-12 13:42 ` Laurent Pinchart
2025-08-22 2:28 ` Du, Bin
2025-08-20 12:42 ` Sakari Ailus
2025-08-22 2:20 ` Du, Bin
2025-09-22 6:24 ` Sakari Ailus
2025-09-22 9:19 ` Du, Bin
2025-07-23 18:12 ` [PATCH v2 0/8] Add AMD ISP4 driver Sultan Alsawaf
2025-07-25 10:22 ` Du, Bin
2025-07-26 22:31 ` Sultan Alsawaf
2025-07-29 3:32 ` Du, Bin
2025-07-29 7:42 ` Sultan Alsawaf
2025-07-29 7:45 ` Sultan Alsawaf
2025-07-29 10:13 ` Du, Bin
2025-07-30 5:38 ` Sultan Alsawaf
2025-07-30 9:53 ` Du, Bin
2025-07-31 0:30 ` Sultan Alsawaf
2025-07-31 10:04 ` Du, Bin
2025-08-04 3:32 ` Du, Bin
2025-08-04 4:25 ` Sultan Alsawaf
2025-08-08 9:11 ` Du, Bin
2025-08-11 5:49 ` Sultan Alsawaf
2025-08-11 8:35 ` Du, Bin
2025-08-11 21:48 ` Sultan Alsawaf
2025-08-11 22:17 ` Sultan Alsawaf
2025-08-12 2:02 ` Du, Bin
2025-08-14 6:53 ` Sultan Alsawaf
2025-08-22 2:23 ` Du, Bin
2025-08-22 3:56 ` Sultan Alsawaf
2025-08-27 10:30 ` Du, Bin
2025-08-28 5:50 ` Sultan Alsawaf
2025-09-02 2:08 ` Du, Bin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aIchBRdmy48BHl2k@sultan-box \
--to=sultan@kerneltoast.com \
--cc=Bin.Du@amd.com \
--cc=Dominic.Antony@amd.com \
--cc=Phil.Jawich@amd.com \
--cc=Svetoslav.Stoilov@amd.com \
--cc=benjamin.chan@amd.com \
--cc=bryan.odonoghue@linaro.org \
--cc=gjorgji.rosikopulos@amd.com \
--cc=hverkuil@xs4all.nl \
--cc=king.li@amd.com \
--cc=laurent.pinchart+renesas@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=prabhakar.mahadev-lad.rj@bp.renesas.com \
--cc=pratap.nirujogi@amd.com \
--cc=sakari.ailus@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.