From: sashiko-bot@kernel.org
To: "Dmitry Baryshkov" <dmitry.baryshkov@oss.qualcomm.com>
Cc: robh@kernel.org, devicetree@vger.kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v4 11/16] media: iris: update buffer requirements based on received info
Date: Fri, 12 Jun 2026 10:08:26 +0000 [thread overview]
Message-ID: <20260612100826.D85131F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260612-iris-ar50lt-v4-11-0abfb74d5b3c@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [High] The driver incorrectly assigns `req->hold_count` and `req->count_actual` from `struct hfi_buffer_requirements` instead of `req->count_min` to instance buffer counts, leading to insufficient buffer allocations.
Pre-existing issues:
- [High] Preexisting Use-After-Free (UAF) race condition due to missing reference counting in `iris_get_instance`.
- [High] Preexisting Use-After-Free (UAF) of `inst->m2m_ctx` during session teardown in `iris_close()`.
--
commit 07ef5efeab4196fd6eaca945bfba49a95c55f702
Author: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
media: iris: update buffer requirements based on received info
Upon receiving data for HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS the
driver should update buffer sizes and counts from the received data.
Implement corresponding functionality updating buffers data. This will
be used for upcoming support of AR50Lt platforms with Gen1 firmware.
> diff --git a/drivers/media/platform/qcom/iris/iris_hfi_gen1_response.c b/drivers/media/platform/qcom/iris/iris_hfi_gen1_response.c
> index 23fc7194b1e3a..ee996eb1f41fa 100644
> --- a/drivers/media/platform/qcom/iris/iris_hfi_gen1_response.c
> +++ b/drivers/media/platform/qcom/iris/iris_hfi_gen1_response.c
[ ... ]
> +static void iris_hfi_gen1_session_buffer_requirements(struct iris_inst *inst,
> + void *data, size_t size)
> +{
> + struct hfi_buffer_requirements *req;
> +
> + if (!size || size % sizeof(*req))
> + return;
> +
> + for (req = data; size; size -= sizeof(*req), req++) {
> + enum iris_buffer_type type = iris_hfi_gen1_buf_type(inst, req->type);
> +
> + if (type == -EINVAL)
> + continue;
> +
> + inst->buffers[type].min_count = req->hold_count;
[Severity: High]
Is this assignment correct? The existing firmware semantics appear to expect
req->count_min to represent the minimum required buffers for forward progress.
Will assigning req->hold_count (which is typically lower) cause the driver to
under-allocate buffers for V4L2, leading to firmware stalls?
> + inst->buffers[type].size = req->size;
> +
> + if (type == BUF_OUTPUT)
> + inst->fw_min_count = req->count_actual;
[Severity: High]
Similarly, should this be assigned to req->count_min instead of
req->count_actual to maintain consistent minimum buffer count derivations?
> + }
> +}
[ ... ]
> @@ -657,7 +729,7 @@ static void iris_hfi_gen1_handle_response(struct iris_core *core, void *response
> } else if (hdr->pkt_type == HFI_MSG_SESSION_EMPTY_BUFFER) {
> iris_hfi_gen1_session_etb_done(inst, hdr);
> } else if (hdr->pkt_type == HFI_MSG_SESSION_FILL_BUFFER) {
> iris_hfi_gen1_session_ftb_done(inst, hdr);
[Severity: High]
This isn't a bug introduced by this patch, but can this lead to a
use-after-free regression?
During session teardown, iris_close() releases the M2M context before
shutting down the firmware session:
iris_vidc.c:iris_close() {
...
v4l2_m2m_ctx_release(inst->m2m_ctx);
...
}
If an HFI_MSG_SESSION_FILL_BUFFER event arrives before the session is fully
closed, the threaded IRQ handler calls iris_hfi_gen1_session_ftb_done() which
subsequently accesses the freed context in v4l2_m2m_for_each_dst_buf_safe().
Is there a way to defer freeing the M2M context until the session is safely
stopped?
> } else if (hdr->pkt_type == HFI_MSG_SESSION_PROPERTY_INFO) {
> - complete(&inst->completion);
> + iris_hfi_gen1_session_property_info(inst, hdr);
[Severity: High]
This is a pre-existing issue, but is it safe for
iris_hfi_gen1_handle_response() to use the inst pointer here without a
reference count?
When iris_get_instance() looks up the instance, it returns the pointer without
taking a reference. If a userspace thread executing iris_close() frees the
instance:
iris_vidc.c:iris_close() {
...
kfree(inst);
}
Could the threaded IRQ handler concurrently attempt to lock the destroyed
inst->lock or dereference inst while handling responses, resulting in a
use-after-free?
> } else {
> struct hfi_msg_session_hdr_pkt *shdr;
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612-iris-ar50lt-v4-0-0abfb74d5b3c@oss.qualcomm.com?part=11
next prev parent reply other threads:[~2026-06-12 10:08 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 9:25 [PATCH v4 00/16] media: iris: Add AR50LT core support and enable Agatti platform Dmitry Baryshkov
2026-06-12 9:25 ` [PATCH v4 01/16] media: iris: Skip UBWC configuration when not supported Dmitry Baryshkov
2026-06-12 9:25 ` [PATCH v4 02/16] media: iris: Filter UBWC raw formats based on hardware capabilities Dmitry Baryshkov
2026-06-12 9:36 ` sashiko-bot
2026-06-12 9:25 ` [PATCH v4 03/16] media: iris: Introduce set_preset_register as a vpu_op Dmitry Baryshkov
2026-06-12 9:25 ` [PATCH v4 04/16] media: iris: Introduce interrupt_init " Dmitry Baryshkov
2026-06-12 9:25 ` [PATCH v4 05/16] media: iris: add vpu op hook to disable ARP buffer Dmitry Baryshkov
2026-06-12 9:25 ` [PATCH v4 06/16] media: iris: Add platform data field for watchdog interrupt mask Dmitry Baryshkov
2026-06-12 9:41 ` sashiko-bot
2026-06-12 9:25 ` [PATCH v4 07/16] media: iris: Add platform flag for instantaneous bandwidth voting Dmitry Baryshkov
2026-06-12 9:46 ` sashiko-bot
2026-06-12 9:25 ` [PATCH v4 08/16] media: iris: skip PIPE if it is not supported by the platform Dmitry Baryshkov
2026-06-12 9:25 ` [PATCH v4 09/16] media: iris: Add framework support for AR50_LITE video core Dmitry Baryshkov
2026-06-12 9:54 ` sashiko-bot
2026-06-12 9:25 ` [PATCH v4 10/16] media: iris: add minimal GET_PROPERTY implementation Dmitry Baryshkov
2026-06-12 9:56 ` sashiko-bot
2026-06-12 9:25 ` [PATCH v4 11/16] media: iris: update buffer requirements based on received info Dmitry Baryshkov
2026-06-12 10:08 ` sashiko-bot [this message]
2026-06-12 9:25 ` [PATCH v4 12/16] media: iris: implement support for the Agatti platform Dmitry Baryshkov
2026-06-12 10:25 ` sashiko-bot
2026-06-12 9:25 ` [PATCH v4 13/16] media: iris: Introduce buffer size calculations for AR50LT Dmitry Baryshkov
2026-06-12 10:22 ` sashiko-bot
2026-06-12 9:25 ` [PATCH v4 14/16] media: iris: add Gen2 firmware support on the Agatti platform Dmitry Baryshkov
2026-06-12 10:39 ` sashiko-bot
2026-06-12 9:25 ` [PATCH v4 15/16] media: venus: skip QCM2290 if Iris driver is enabled Dmitry Baryshkov
2026-06-12 10:33 ` sashiko-bot
2026-06-12 9:25 ` [PATCH v4 16/16] media: iris: constify inst_fw_cap_sm8250_dec Dmitry Baryshkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612100826.D85131F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dmitry.baryshkov@oss.qualcomm.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox