From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 02AB0CD3427 for ; Mon, 4 May 2026 16:19:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:MIME-Version:In-Reply-To: Content-Type:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=6pFTQtagVzdaJBHhnSCTGDA6nHv9ubqjBcWcX9M6g98=; b=rD8cYxWWLWwM9SmxYyQ04zUiHI ftj7gqrxBSCNG3e014R0l14QAMf8XJJOsO/xYBsKVtagCyaO1vjdat+zanPjINAGs/24xsYCrsaZJ GmuvHzk0zJAh83NW2btQqkLsl7xXKNk+gwy9Ml4O0wOLKJNAbfEzqwyzm1YNfVobYOxBpaAuYzL9h ZgiePjAbFAIEDzqRoR/6c1AB+Xf49GWSHVFo24sY5VE7Z2DmWeEvOwsLJ6dV1+yfwDvI1wRAdl5/l gc13No0ge1l9F0YzfRnigz3j360jvd6dsb6ij8SbbmvkTv5zqq760UXtHgL6HKQ9e/IPkO4oWvlim MswO4AuA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1wJw1M-0000000Dh7L-1tiY; Mon, 04 May 2026 16:19:48 +0000 Received: from mail-westeuropeazlp170100001.outbound.protection.outlook.com ([2a01:111:f403:c201::1] helo=AM0PR83CU005.outbound.protection.outlook.com) by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1wJw1K-0000000Dh6e-2sVs for linux-arm-kernel@lists.infradead.org; Mon, 04 May 2026 16:19:47 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=tIUJPJpI3h8x8QFYaA8mrvE48EpTiszDFDohu0j3YwbINYs6Y6d/gNQKZ1SiHzYNYwlr3Hq5yIcR3i64rS3S18bhfRFv+6Np15psUR3+ubGczT9QaZRDVh0KqxCH0r4gYvI4/+BJW5zZsRz+FliBeuUFgRT7ydAUJRyqPphO3G+X53Bba+wJvitvnRY4T0ugpGIdv0lRmmqJjR0+c/q0VFYo2woUChq28HJLUlF7GlXYdpYbNggExOKehXhrPJbBRD9rN6kC3EeEmR3st9NIvr0Ki4nwwgSNk0dzWyI2Zw/t56hedy74/ZYowc9Q918W9tRpZWT9N0HqojgBXc36ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6pFTQtagVzdaJBHhnSCTGDA6nHv9ubqjBcWcX9M6g98=; b=gFQuDlgTDKAp9WBJgbeA9NK15WCJFgGEBVaiQboVRCxHAfLmQTFAcR8oRQykJvDgyf6zI0vLSLztENIWOORuJIhTMEFTYJQFEbdauHUervrWveSFQlivjs6rfK5HKXTI0BzyjVL+sFufrSOilHNdUXCwC+OMF9k88yJ6tT6I3e/gCa15mUjtdCgzIodmwHwSJyXRrfQbIQAbi3hOefB9/OCz70UPH/cpNeD4As+i+KEK4NIsOYcoozLlHndRsOrObUfD//nSsOwr5Lnlm1Almgl/cVF7+8Zzhjzo4RgT2OCxCUZ6iz8MhIR1rLOFoNbmO8S1PNh4uKEGWdaxdsIIIw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6pFTQtagVzdaJBHhnSCTGDA6nHv9ubqjBcWcX9M6g98=; b=QqEeQakKJI8dyRL6/plnEE2sHCF0rGetcPtnUkqTkcFgkvX4SQZ1hX6Hk45r9jtM9e4+kJFpCIWsElndZBXDCW6HRRmYIn+UB//FFWkrKAxELgg+TmjZhXDRvIdkVNcLtZErJu3Kepzwyy5XihMQGUmZmDXvA8jyny9EMR5JmeR9eaFY4RwtHfNVWnuExo/Bdkpi0kCVT4+xIUjWUy3RNHUKCZT52OFmnrw7gp6b7i512GfUbVmNoJKgSR+b8V/eHeFWPlMVZYXmJsw9Fkiszt2irDGVu2PDtEsT2X1miVqQ7CYi3IbBrAihy/K3hw9dpUQSjSdo3C7ZphL0bYQO6w== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from PA4PR04MB9366.eurprd04.prod.outlook.com (2603:10a6:102:2a9::8) by VE1PR04MB7359.eurprd04.prod.outlook.com (2603:10a6:800:1a0::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.15; Mon, 4 May 2026 16:19:40 +0000 Received: from PA4PR04MB9366.eurprd04.prod.outlook.com ([fe80::75e4:8143:ddbc:6588]) by PA4PR04MB9366.eurprd04.prod.outlook.com ([fe80::75e4:8143:ddbc:6588%6]) with mapi id 15.20.9870.023; Mon, 4 May 2026 16:19:40 +0000 Date: Mon, 4 May 2026 12:19:32 -0400 From: Frank Li To: Xiaolei Wang Cc: laurent.pinchart@ideasonboard.com, mchehab@kernel.org, s.hauer@pengutronix.de, kernel@pengutronix.de, festevam@gmail.com, aisheng.dong@nxp.com, jacopo@jmondi.org, guoniu.zhou@nxp.com, s.riedmueller@phytec.de, linux-media@vger.kernel.org, imx@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 1/3] media: imx8-isi: fix use-after-free on remove Message-ID: References: <20260424231926.406079-1-xiaolei.wang@windriver.com> <20260424231926.406079-2-xiaolei.wang@windriver.com> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260424231926.406079-2-xiaolei.wang@windriver.com> X-ClientProxiedBy: PH7PR17CA0025.namprd17.prod.outlook.com (2603:10b6:510:323::27) To PA4PR04MB9366.eurprd04.prod.outlook.com (2603:10a6:102:2a9::8) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PA4PR04MB9366:EE_|VE1PR04MB7359:EE_ X-MS-Office365-Filtering-Correlation-Id: a04f4d1c-b1a4-475d-c30e-08dea9f8f1a9 X-LD-Processed: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|376014|52116014|1800799024|366016|7416014|38350700014|56012099003|18002099003|22082099003; X-Microsoft-Antispam-Message-Info: 2H8RbAzbZuTP/1CPq6ru5DS5/f58W1RRO0dHsHzzsn5AgZUgDXwQFuQEz1bfaUIZU6zzzVww7hHLDERF4T59HnFBoK1V8aSTXfbnMaJ6QI6EEss9hYLx/9BP4t0E3vmIwO5vpcfevT3+sfCjWnueMS4+G7RaE3HS/mQ2jKMs89Kn9yq2wqKtSD0Br8w7ax9fJ6bLO7dqoplpGF8ymTUxST4p/gx7qHi25rlTAazt9IHNw90YfLTuFMwXZmUvI3F+0cMXae09Ff8MA1EJz10GrDWntBho/q5TuPqGzobZayzBw5lsbYZCF5w1dbZXnU7b0/oPgECwi9yvpaKSDvDJKD5TkA37+fzvdyiPCxAIKnuiKNu91vLMMzBqVOFrC0OeXig16QP6Xud4IWBHhrIHCqsPvFBO+Wc2wQFW8IOly151kWARFRxZZSECoGGT+WaJs1zJ7Z+YQJGq8hNkmMyhvHhawLVz6827Wbr926u6VXhgagqBTuazALqFGGivPikutWAyLRAw+SGFcBAOY3NK0JUXjGzqyfLt5BgDNyXzS25Of/OICpjtKQL9GQxvl3j0HuyvfKlJwQHOFGRCBkOR9H4JnKMP5VxARu3z+Mt4KJ/oMxpfxNMRw8FElzTRMrW7/wA1avoWaauqlffKzBBjBovSeo5860aYbUpMgZq8u1t85Oq9Am7U6X+lGwN0kC4aX25Q7ukPTAQ82IuR4Y8BMwSySO4s2T7sOJVu9j25/Unwe+Z8roC6Pxm+NUIGa0H2 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PA4PR04MB9366.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(376014)(52116014)(1800799024)(366016)(7416014)(38350700014)(56012099003)(18002099003)(22082099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?EAq51aAlvWztFGlV8DB+bfBUS1GEzMqOlR0uiFhKCvH9GuJpREdwyK80GCmP?= =?us-ascii?Q?KPNIhuZe6Ws1OQzH5oE27llYQpPwD21DF3x8rxMysgIPGaQ2rgDKr6VBwjGr?= =?us-ascii?Q?YpwY9XKncswDaxeqr/hEMjA99E5OJBHltr/xNpqIRcGrIwQP+KiJKPwDPmv9?= =?us-ascii?Q?bADgDK7VgEfRGtO9V59RLnrJ7+RQJSIEthKdF4K0+dm6DLxZEri4Bk//mt6c?= =?us-ascii?Q?TszrJVnj/TVJnZ+R0D1xfhc0uIm+c7zW49Kr5+vVVhunP5Dn8wdxau2IXd0d?= =?us-ascii?Q?4fSzH4BDC+3WF3TbF42nF/Wes0J7QZFwR78cSRDGmH6143rEGMVPDwu7ei4a?= =?us-ascii?Q?5pLpASeRlRUsioYiJLYsVRUg3G2VlBXDVrdBEqYORatB3vYJ0K2NptDgfGXM?= =?us-ascii?Q?ak7vzE6iuS9/PbQNnt/W0lHVIB7O3JKN2lmwkiVYiqG8cdU5pwj/2OP2XT/N?= =?us-ascii?Q?sxFmLrp5Ess0wgVWvcs0Vi78rmAx2DB2OJTW5wLWb+38QjpNNK4Hvr2d/Twk?= =?us-ascii?Q?nNY/8G7qM1xETBn5V8ktG44FFDpMF588+TkX6PLSFtUD0ueLF+8Rt/9s2Icb?= =?us-ascii?Q?axVutfoH0KGWYT4z1DjO2Mzmnnb60s4IKghXjDR8wcGDeAPyTQA7th30V+AH?= =?us-ascii?Q?H43sOIknQbZP2AGbgw7SFZ1lgVMWYckDgLJea6rnwXQMyAxq7BbbPk7vLA2u?= =?us-ascii?Q?nz7lmqVw74zMJyN1eSkFl6rypU2avbrqFlVabi1GJxLS7h/7Ic0mtLgqK020?= =?us-ascii?Q?CO62+IupQ7Wo+KWo9lYc7JerIHNIRY8HP8CRwWvcHINCtWzQ5+/O9dHkKps2?= =?us-ascii?Q?vnz8i1fxzo0NrbDKL99sMtYKY49CoRPf/S5NcLhEqjCVJujo99t7qQCwK8S8?= =?us-ascii?Q?kOx7PvP0VJ53Kc6YEWatzUjixhvL0WQbQix+Sv+Vy+e5ixQmpwkyCSgIGggA?= =?us-ascii?Q?eis2mmm7cWQ7D1EbTWGV2MDwtrfeDoW+Hqgpq7oQPYvEHW3hQkLsW2YxT1vT?= =?us-ascii?Q?ZbTzyigLQJRRXliYnSUNOSIYVk5T+i17+YhnkuXw1oQsGb00fmBiVTpigNCX?= =?us-ascii?Q?OiIJuUmKjNo2oLLZz0NDUseR861vcTokgALGbY2bH0EuKdxRSvEQXkJWAcBS?= =?us-ascii?Q?M8qGtgIh3HzxB71Knj15YQfycfXkoDbT2bO/I79XSa8JrmC8JQijPsWQxqR8?= =?us-ascii?Q?MvtUR3IgKoXfUzpIqNSJpwJVIdbHCsvL8XEXmvXUVoLiJYkOOUNX4lZCvm0t?= =?us-ascii?Q?rRYd2y9s+m5l4g6/cNlR/cdDfbajm2YUNDHXBwpjbrzjpiLluZgjYzYOh4Z7?= =?us-ascii?Q?GyHf/LdnUQixScI4l157rJuQCAZwfqbVIUcmuuA2B8VXJ9mhkdQHRbXSCnK0?= =?us-ascii?Q?Ry3SHL8exyj581Vmay8YUqhzjbgUW7b2xcpxs1BEyIo0eqEfZunC8M29EFrs?= =?us-ascii?Q?GFKGJ9DCs+rbJJ/ezw+yfCQj6+9bq+tEMueuWR2XRJK6+oz1kBlzUz0AiVAe?= =?us-ascii?Q?FqF+3XeUXRh/wJs3QsZgSKjcATnF5Xdre1Gs2puas8jDQMPg0x8a6knpms7O?= =?us-ascii?Q?f4Bq7LVzHy1kDRVZKqZKbDe0PrqF4E8LZ1DUy+9ss0/9bxucRXxnCqpDkYfw?= =?us-ascii?Q?rV1xDFwnIMmj659+jxtOq7Coy4NeAwEtDa7MeqQXSqTLE6Z7M0giwYeO1o83?= =?us-ascii?Q?SslVljy3FbVXurYab2lM1IDh/5YY5AymAqrmx1W7If/C36pt95Wkhxaj2GYA?= =?us-ascii?Q?YiaAXTyF/g=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: a04f4d1c-b1a4-475d-c30e-08dea9f8f1a9 X-MS-Exchange-CrossTenant-AuthSource: PA4PR04MB9366.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 May 2026 16:19:40.5975 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: DNGrtxItZqA+DAWfW6rWyY1iJO8CzgRTSmddzh7utN+563q1FbPKEBzWhB4by750tN5FArp4eNEPOK27ywLgJw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR04MB7359 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260504_091946_731342_FC1260AD X-CRM114-Status: GOOD ( 21.88 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Sat, Apr 25, 2026 at 07:19:24AM +0800, Xiaolei Wang wrote: > KASAN reports a slab-use-after-free in __media_entity_remove_link() > during rmmod of imx8_isi: > > BUG: KASAN: slab-use-after-free in __media_entity_remove_link+0x608/0x650 > Read of size 2 at addr ffff0000d47cb02a by task rmmod/724 > > Call trace: > __media_entity_remove_link+0x608/0x650 > __media_entity_remove_links+0x78/0x144 > __media_device_unregister_entity+0x150/0x280 > media_device_unregister_entity+0x48/0x68 > v4l2_device_unregister_subdev+0x158/0x300 > v4l2_async_unbind_subdev_one+0x22c/0x358 > v4l2_async_nf_unbind_all_subdevs+0xfc/0x1c0 > v4l2_async_nf_unregister+0x5c/0x14c > mxc_isi_remove+0x124/0x2a0 [imx8_isi] > > Allocated by task 249: > __kmalloc_noprof+0x27c/0x690 > mxc_isi_crossbar_init+0x22c/0x560 [imx8_isi] > > Freed by task 724: > kfree+0x1e4/0x5b0 > mxc_isi_crossbar_cleanup+0x34/0x80 [imx8_isi] > mxc_isi_remove+0x11c/0x2a0 [imx8_isi] > > The problem is that mxc_isi_remove() calls mxc_isi_crossbar_cleanup() > before mxc_isi_v4l2_cleanup(). The crossbar cleanup frees the media > entity pads, but the subsequent v4l2 cleanup still tries to remove > media links that reference those pads. > > Fix this by calling mxc_isi_v4l2_cleanup() before > mxc_isi_crossbar_cleanup() to ensure all media entities are properly > unregistered while the pads are still valid. > > Fixes: cf21f328fcaf ("media: nxp: Add i.MX8 ISI driver") > Cc: stable@vger.kernel.org > Signed-off-by: Xiaolei Wang > --- Reviewed-by: Frank Li > drivers/media/platform/nxp/imx8-isi/imx8-isi-core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/platform/nxp/imx8-isi/imx8-isi-core.c b/drivers/media/platform/nxp/imx8-isi/imx8-isi-core.c > index 4bf8570e1b9e..2d639b789910 100644 > --- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-core.c > +++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-core.c > @@ -556,8 +556,8 @@ static void mxc_isi_remove(struct platform_device *pdev) > mxc_isi_pipe_cleanup(pipe); > } > > - mxc_isi_crossbar_cleanup(&isi->crossbar); > mxc_isi_v4l2_cleanup(isi); > + mxc_isi_crossbar_cleanup(&isi->crossbar); > } > > static const struct of_device_id mxc_isi_of_match[] = { > -- > 2.43.0 >