From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1FE3C36165A
	for <linux-arm-msm@vger.kernel.org>; Tue, 27 Jan 2026 16:50:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769532652; cv=none; b=b+OPoGMI1YYeRfezxUSVdR8cWXgVL9ssCFiKnTt95ml2cnicaKz0s9LqMxTfaYQAjevYO/IEG8qWuJyTsVgZQzjYSuEVzrUPZDvoRXWvrLLosIHCj2jKM5dX8T3CZ2wS+FgifjlLFlXQMALqQase8+5Eu41ExY78L9p9tyDx0kM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769532652; c=relaxed/simple;
	bh=1WGgjypg0PBheHfuaGYLd6B4hrFTtvJOaY0+TNgie7w=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=caeF6TUsSYHoRoJwUaJCeQiOSsjrmimkQ3rW7vKQO3eefhqXvFbwOqX1pMSmdeckJkG3CtLvJWX36l66gO/guJqLF6gCl2yUlZkfGrUCW1oPjWkeiKLy0iWLVKj0FZ7ZYQd1PMCtQQtotMj2/oL37EFeqrd5lvgIsg0WTnOWiTQ=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jA07n2sU; arc=none smtp.client-ip=209.85.214.171
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jA07n2sU"
Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-29f30233d8aso39640405ad.0
        for <linux-arm-msm@vger.kernel.org>; Tue, 27 Jan 2026 08:50:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769532650; x=1770137450; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=D5SO64hlGAGZzQm96wir8vkRTu1HntqB7h3c84mXcwA=;
        b=jA07n2sUpZ0A7Mu07qloDPg5IdeecHj5rR0x9Wn84SPctyrtnPsRBCHOljfmQYIo0K
         ZIZgiYzeUeBLXASvJlqvnMi5jFftxxSzuwIk8kFEDvv5TbkPG/6q8SIG7B2PiglgKgH+
         cRa9ZM1Fn+xVBefpkcnLv/A33yvJ/OYDjgeHNuZziq4Sn94OVoTTF8jo5NsPNVHJSFVn
         9AUL7I38YTXoa9CUnFYAspAUq70hwaFH+5XBKfgYUNyjBKQ05KCCBlG1aCJpgDH0UISk
         4TR9mbNiCiLDPe/WxX3yccvmcsmOivDqm+Ap/3WIv60gVL+SELiqSqydfMl8fJreigcw
         esyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769532650; x=1770137450;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=D5SO64hlGAGZzQm96wir8vkRTu1HntqB7h3c84mXcwA=;
        b=Rj6OS/jCnOFIGD7WoBkHN5slCwjj9Phppuw9FbCUw4Ts5/3EhMzwjbELLnxSFV9xq8
         us+FYtlgnDqhzb0JBSM/1XuznsS1zr7zradTK2vs5dcC5O7DApjYnPEDpoiVA0ig2pIC
         xmevmf+MWymw+PjrYee0b6fwe0n4VePOFwsyVx1zJxVfGOBDzwjL1ORlgi7/ZmnX8p6M
         M3yf3G1O/qqxn7E6zwccZpJvAKsA+oM1a7BvomYio171Iam5uag7FGrGt4Ywk9+82vJs
         OVGKCljbi1Wy+L/eb/eqxruyUYlxXYQIwn575LHYwY5HkVsH+wdfMtTskKKgQF/mQuHN
         sTeQ==
X-Gm-Message-State: AOJu0Yw7HtX8PS2GDCuXtMli/T+3rgOR6wdyhrFCp8L+WGVhvjlCF2dn
	EZgKrNMxjxtYmJSoVM7ClmIpFxHaMyxjYZrm8wxgCotABiAhFK9YKYw+
X-Gm-Gg: AZuq6aJ01gGTEF1JWduFjV8A87C/vsTb6dMUEjMhrRoDNuUNXKElrvRpFCDvau4w7Oq
	yeojrQw8arO1bhcIgxfgqEPrz6Y74gtbtsqiM10HRwrKQPmIHbwC0qPSBvLa9+vqCljWuBGYwa1
	SWJ7nCElbfR6Xh6BImUmBe6PFG0AC816/pHalQqxLDoM5G0V99DmruD8088m1b9UJpJqAihMach
	oadTVqbddwS+XKruKzIL63EFuoC5Vg/d7ugiSGfctsvrNQZShkJp8TtUNh7kijWxEqlanqV7cjc
	EtKLWZWQl144kHsr1JxD7Y8XSkkrn80bEKNi/m7ntEv8tk/ZGXb9YqgQcCEz4I/xd2APNaePKo/
	1YcIu/nG+JWA5oSlDeF9YvW75zTvld73xBBrJ0T3GIO0NZmyMzW5Gprrkh3BBdJ1ZljyFPLSZI/
	Dfinufsnd6qgm9ngVnbRXT+oE/N++UReL/1v0=
X-Received: by 2002:a17:903:4b07:b0:2a0:993b:d72a with SMTP id d9443c01a7336-2a870da13fcmr16826975ad.4.1769532650395;
        Tue, 27 Jan 2026 08:50:50 -0800 (PST)
Received: from saikiran-Yoga-Slim-7-14Q8X9 ([2402:e280:3d17:646:d29a:ea37:2567:751])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a802daa46fsm120318675ad.21.2026.01.27.08.50.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 27 Jan 2026 08:50:50 -0800 (PST)
From: Saikiran <bjsaikiran@gmail.com>
To: linux-media@vger.kernel.org
Cc: linux-arm-msm@vger.kernel.org,
	rfoss@kernel.org,
	todor.too@gmail.com,
	bryan.odonoghue@linaro.org,
	bod@kernel.org,
	vladimir.zapolskiy@linaro.org,
	hansg@kernel.org,
	sakari.ailus@linux.intel.com,
	mchehab@kernel.org,
	stable@vger.kernel.org,
	Saikiran <bjsaikiran@gmail.com>
Subject: [PATCH v4 1/2] media: i2c: ov02c10: Fix use-after-free in remove function
Date: Tue, 27 Jan 2026 22:20:23 +0530
Message-ID: <20260127165024.46156-2-bjsaikiran@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260127165024.46156-1-bjsaikiran@gmail.com>
References: <20260127165024.46156-1-bjsaikiran@gmail.com>
Precedence: bulk
X-Mailing-List: linux-arm-msm@vger.kernel.org
List-Id: <linux-arm-msm.vger.kernel.org>
List-Subscribe: <mailto:linux-arm-msm+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-arm-msm+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

The ov02c10_remove() function has a race condition where v4l2_ctrl_handler
and media_entity resources are freed before the device is powered off.
If userspace (e.g., PipeWire/WirePlumber) accesses the device during
removal, this causes a use-after-free leading to kernel oops with
"Execute from non-executable memory" errors.

The issue occurs because:
1. v4l2_ctrl_handler_free() is called first
2. Userspace may still have the device open
3. Control access triggers use-after-free
4. Device is powered off afterwards (too late)

Fix by reordering cleanup to disable runtime PM and power off the device
BEFORE freeing v4l2_ctrl_handler and media_entity resources. This ensures
the device is in a safe state before any resources are freed.

Call sequence after fix:
1. v4l2_async_unregister_subdev() - unregister from V4L2
2. pm_runtime_disable() - disable runtime PM
3. ov02c10_power_off() - power off device if needed
4. v4l2_subdev_cleanup() - clean up subdev
5. media_entity_cleanup() - clean up media entity
6. v4l2_ctrl_handler_free() - free control handler (safe now)

Tested-on: Lenovo Yoga Slim 7x (Snapdragon X Elite)
Fixes: 44f8901 ("media: i2c: add OmniVision OV02C10 sensor driver")
Cc: stable@vger.kernel.org
Reviewed-by: Hans de Goede <hansg@kernel.org>
Signed-off-by: Saikiran <bjsaikiran@gmail.com>
---
 drivers/media/i2c/ov02c10.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/media/i2c/ov02c10.c b/drivers/media/i2c/ov02c10.c
index cf93d36032e1..fa7cc48b769a 100644
--- a/drivers/media/i2c/ov02c10.c
+++ b/drivers/media/i2c/ov02c10.c
@@ -864,14 +864,14 @@ static void ov02c10_remove(struct i2c_client *client)
 	struct ov02c10 *ov02c10 = to_ov02c10(sd);
 
 	v4l2_async_unregister_subdev(sd);
-	v4l2_subdev_cleanup(sd);
-	media_entity_cleanup(&sd->entity);
-	v4l2_ctrl_handler_free(sd->ctrl_handler);
 	pm_runtime_disable(ov02c10->dev);
 	if (!pm_runtime_status_suspended(ov02c10->dev)) {
 		ov02c10_power_off(ov02c10->dev);
 		pm_runtime_set_suspended(ov02c10->dev);
 	}
+	v4l2_subdev_cleanup(sd);
+	media_entity_cleanup(&sd->entity);
+	v4l2_ctrl_handler_free(sd->ctrl_handler);
 }
 
 static int ov02c10_probe(struct i2c_client *client)
-- 
2.51.0