Re: [PATCH v7 25/28] media: rockchip: rga: add feature flags

Devicetree
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Sven Püschel" <s.pueschel@pengutronix.de>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v7 25/28] media: rockchip: rga: add feature flags
Date: Wed, 20 May 2026 23:42:25 +0000	[thread overview]
Message-ID: <20260520234225.995A11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260521-spu-rga3-v7-25-3f33e8c7145f@pengutronix.de>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

Pre-existing issues:
- [High] The return value of `rga_setup_ctrls()` is ignored in `rga_open()`, leading to a Use-After-Destroy vulnerability if control initialization fails.
- [High] The mem2mem device is released before the video device is unregistered in `rga_remove()`, leading to a Use-After-Free.
- [High] The main driver structure `rockchip_rga` is managed by devres (`devm_kzalloc`) but accessed by V4L2 file operations, causing a Use-After-Free on unbind.
- [High] Streaming DMA synchronization is incorrectly called on coherent memory allocated with `dma_alloc_attrs()`, and placed after triggering the hardware.
--

commit c9c0ebd48cb930bc4deb38afc01630239c973c0d
Author: Sven Püschel <s.pueschel@pengutronix.de>

media: rockchip: rga: add feature flags

In preparation to the RGA3 addition add feature flags, which can limit
the exposed feature set of the video device, like rotating or selection
support. This is necessary as the RGA3 doesn't initially implement the
full feature set currently exposed by the driver.

[ ... ]

> diff --git a/drivers/media/platform/rockchip/rga/rga.c b/drivers/media/platform/rockchip/rga/rga.c
> index 1878b4e26360b..8d60e94da32d8 100644
> --- a/drivers/media/platform/rockchip/rga/rga.c
> +++ b/drivers/media/platform/rockchip/rga/rga.c
> @@ -177,17 +177,21 @@ static int rga_setup_ctrls(struct rga_ctx *ctx)
>  
>  	v4l2_ctrl_handler_init(&ctx->ctrl_handler, 4);
>  

[ ... ]

>  	if (ctx->ctrl_handler.error) {
>  		int err = ctx->ctrl_handler.error;
>  
>  		v4l2_err(&rga->v4l2_dev, "%s failed\n", __func__);
>  		v4l2_ctrl_handler_free(&ctx->ctrl_handler);
>  		return err;
>  	}
>  
>  	return 0;
>  }

[Severity: High]
This isn't a bug introduced by this patch, but does ignoring the return value
of this function in rga_open() lead to a use-after-destroy vulnerability?

drivers/media/platform/rockchip/rga/rga.c:rga_open() {
...
	rga_setup_ctrls(ctx);

	/* Write the default values to the ctx struct */
	v4l2_ctrl_handler_setup(&ctx->ctrl_handler);
...
}

If rga_setup_ctrls() fails, it calls v4l2_ctrl_handler_free() which destroys
the control handler's embedded lock. Since rga_open() ignores the error and
continues to v4l2_ctrl_handler_setup(), will it attempt to acquire the
destroyed lock?

[Severity: High]
This is a pre-existing issue, but does the teardown order in rga_remove()
cause a use-after-free if the device node is held open?

drivers/media/platform/rockchip/rga/rga.c:rga_remove() {
...
	v4l2_m2m_release(rga->m2m_dev);
	video_unregister_device(rga->vfd);
...
}

If the mem2mem device is released before the video device is unregistered,
could a userspace process with an open file descriptor trigger a
use-after-free when closing it? The rga_release() file operation dereferences
the freed m2m_dev via v4l2_m2m_ctx_release().

[Severity: High]
This is a pre-existing issue, but does managing the main driver structure
with devres lead to a use-after-free on unbind?

drivers/media/platform/rockchip/rga/rga.c:rga_probe() {
...
	rga = devm_kzalloc(&pdev->dev, sizeof(*rga), GFP_KERNEL);
...
}

When the driver is unbound, devres automatically frees the memory. Since
the v4l2 framework allows video device file descriptors to outlive the
driver unbind process, could a userspace application close a lingering file
descriptor and call rga_release() on the freed rga structure?

[Severity: High]
This isn't a bug introduced by this patch, but is streaming dma
synchronization incorrectly used on coherent memory?

drivers/media/platform/rockchip/rga/rga-hw.c:rga_hw_setup_cmdbuf() {
...
	rga_write(rga, RGA_CMD_BASE, ctx->cmdbuf_phy);

	/* sync CMD buf for RGA */
	dma_sync_single_for_device(rga->dev, ctx->cmdbuf_phy,
				   PAGE_SIZE, DMA_BIDIRECTIONAL);
...
}

Since the command buffer is allocated using dma_alloc_attrs() with
DMA_ATTR_WRITE_COMBINE, is it valid to call dma_sync_single_for_device()
on it? The dma api prohibits calling streaming sync functions on addresses
returned by coherent allocation functions. Also, is it problematic that
the sync happens after writing the dma address to the hardware register?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260521-spu-rga3-v7-0-3f33e8c7145f@pengutronix.de?part=25

next prev parent reply	other threads:[~2026-05-20 23:42 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-20 22:44 [PATCH v7 00/28] media: platform: rga: Add RGA3 support Sven Püschel
2026-05-20 22:44 ` [PATCH v7 01/28] media: dt-bindings: media: rockchip-rga: add rockchip,rk3588-rga3 Sven Püschel
2026-05-20 22:44 ` [PATCH v7 02/28] media: v4l2-common: sort RGB formats in v4l2_format_info Sven Püschel
2026-05-20 22:44 ` [PATCH v7 03/28] media: v4l2-common: add missing 1 and 2 byte RGB formats to v4l2_format_info Sven Püschel
2026-05-20 22:44 ` [PATCH v7 04/28] media: v4l2-common: add has_alpha " Sven Püschel
2026-05-20 22:44 ` [PATCH v7 05/28] media: v4l2-common: add v4l2_fill_pixfmt_mp_aligned helper Sven Püschel
2026-05-20 23:48   ` Nicolas Dufresne
2026-05-20 22:44 ` [PATCH v7 06/28] media: rockchip: rga: fix too small buffer size Sven Püschel
2026-05-20 23:43   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 07/28] media: rockchip: rga: use clk_bulk api Sven Püschel
2026-05-20 23:27   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 08/28] media: rockchip: rga: use stride for offset calculation Sven Püschel
2026-05-20 23:38   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 09/28] media: rockchip: rga: remove redundant rga_frame variables Sven Püschel
2026-05-20 23:37   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 10/28] media: rockchip: rga: announce and sync colorimetry Sven Püschel
2026-05-20 23:45   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 11/28] media: rockchip: rga: move hw specific parts to a dedicated struct Sven Püschel
2026-05-20 23:30   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 12/28] media: rockchip: rga: avoid odd frame sizes for YUV formats Sven Püschel
2026-05-20 23:32   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 13/28] media: rockchip: rga: calculate x_div/y_div using v4l2_format_info Sven Püschel
2026-05-20 22:44 ` [PATCH v7 14/28] media: rockchip: rga: move cmdbuf to rga_ctx Sven Püschel
2026-05-20 23:44   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 15/28] media: rockchip: rga: align stride to 4 bytes Sven Püschel
2026-05-20 23:56   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 16/28] media: rockchip: rga: reuse cmdbuf contents Sven Püschel
2026-05-20 23:30   ` sashiko-bot
2026-05-20 23:55   ` Nicolas Dufresne
2026-05-20 22:44 ` [PATCH v7 17/28] media: rockchip: rga: check scaling factor Sven Püschel
2026-05-20 23:42   ` sashiko-bot
2026-05-20 23:58   ` Nicolas Dufresne
2026-05-20 22:44 ` [PATCH v7 18/28] media: rockchip: rga: use card type to specify rga type Sven Püschel
2026-05-20 23:29   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 19/28] media: rockchip: rga: change offset to dma_addresses Sven Püschel
2026-05-20 22:44 ` [PATCH v7 20/28] media: rockchip: rga: support external iommus Sven Püschel
2026-05-20 23:43   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 21/28] media: rockchip: rga: share the interrupt when an external iommu is used Sven Püschel
2026-05-20 23:33   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 22/28] media: rockchip: rga: remove size from rga_frame Sven Püschel
2026-05-20 23:35   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 23/28] media: rockchip: rga: remove stride " Sven Püschel
2026-05-20 22:44 ` [PATCH v7 24/28] media: rockchip: rga: move rga_fmt to rga-hw.h Sven Püschel
2026-05-20 22:44 ` [PATCH v7 25/28] media: rockchip: rga: add feature flags Sven Püschel
2026-05-20 23:42   ` sashiko-bot [this message]
2026-05-20 22:44 ` [PATCH v7 26/28] media: rockchip: rga: disable multi-core support Sven Püschel
2026-05-20 22:44 ` [PATCH v7 27/28] media: rockchip: rga: add rga3 support Sven Püschel
2026-05-21  0:08   ` sashiko-bot
2026-05-20 22:44 ` [PATCH v7 28/28] arm64: dts: rockchip: add rga3 dt nodes Sven Püschel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260520234225.995A11F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=s.pueschel@pengutronix.de \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox