From: Dawei Feng <dawei.feng@seu.edu.cn>
To: kernel-list@raspberrypi.com
Cc: mchehab@kernel.org, linux-media@vger.kernel.org,
florian.fainelli@broadcom.com,
bcm-kernel-feedback-list@broadcom.com, rjui@broadcom.com,
sbranden@broadcom.com, linux-rpi-kernel@lists.infradead.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, jianhao.xu@seu.edu.cn,
Dawei Feng <dawei.feng@seu.edu.cn>,
stable@vger.kernel.org, Zilin Guan <zilin@seu.edu.cn>
Subject: [PATCH] media: bcm2835-unicam: fix dummy buffer double free when register fails
Date: Fri, 15 May 2026 23:25:29 +0800 [thread overview]
Message-ID: <20260515152529.1007540-1-dawei.feng@seu.edu.cn> (raw)
unicam_register_node() allocates node->dummy_buf_cpu_addr before
registering the video device. If video_register_device() fails, the
error path frees the dummy buffer but leaves the pointer unchanged.
unicam_async_complete() then unwinds the partial setup through
unicam_unregister_nodes(), which sees the stale non-NULL pointer and
frees the same buffer again.
Set dummy_buf_cpu_addr to NULL after dma_free_coherent() in both the
local error path and unicam_unregister_nodes() so later cleanup skips
already released buffers.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1-rc3.
Runtime validation was not attempted because reproducing this failure
path requires fault injection in a hardware-specific driver.
Fixes: 392cd78d495f ("media: bcm2835-unicam: Add support for CCP2/CSI2 camera interface")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
---
drivers/media/platform/broadcom/bcm2835-unicam.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/broadcom/bcm2835-unicam.c b/drivers/media/platform/broadcom/bcm2835-unicam.c
index 8d28ba0b59a3..94c80601c50d 100644
--- a/drivers/media/platform/broadcom/bcm2835-unicam.c
+++ b/drivers/media/platform/broadcom/bcm2835-unicam.c
@@ -2360,6 +2360,7 @@ static int unicam_register_node(struct unicam_device *unicam,
dma_free_coherent(unicam->dev, node->dummy_buf.size,
node->dummy_buf_cpu_addr,
node->dummy_buf.dma_addr);
+ node->dummy_buf_cpu_addr = NULL;
err_entity_cleanup:
media_entity_cleanup(&vdev->entity);
err_unicam_put:
@@ -2379,10 +2380,12 @@ static void unicam_unregister_nodes(struct unicam_device *unicam)
node->registered = false;
}
- if (node->dummy_buf_cpu_addr)
+ if (node->dummy_buf_cpu_addr) {
dma_free_coherent(unicam->dev, node->dummy_buf.size,
node->dummy_buf_cpu_addr,
node->dummy_buf.dma_addr);
+ node->dummy_buf_cpu_addr = NULL;
+ }
}
}
--
2.34.1
reply other threads:[~2026-05-15 15:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515152529.1007540-1-dawei.feng@seu.edu.cn \
--to=dawei.feng@seu.edu.cn \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=florian.fainelli@broadcom.com \
--cc=jianhao.xu@seu.edu.cn \
--cc=kernel-list@raspberrypi.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-rpi-kernel@lists.infradead.org \
--cc=mchehab@kernel.org \
--cc=rjui@broadcom.com \
--cc=sbranden@broadcom.com \
--cc=stable@vger.kernel.org \
--cc=zilin@seu.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox