Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Atanas Filipov" <atanas.filipov@oss.qualcomm.com>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v3 1/4] media: qcom: camss: populate child platform devices
Date: Mon, 29 Jun 2026 12:30:46 +0000	[thread overview]
Message-ID: <20260629123047.0FCA91F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629121750.3469292-2-atanas.filipov@oss.qualcomm.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Pre-existing use-after-free vulnerability due to mixing `devm_kzalloc` with asynchronous V4L2 video device lifecycle.
--

commit 9fa1d355926fe655802b3d013baabb22bd939e3e
Author: Atanas Filipov <atanas.filipov@oss.qualcomm.com>

media: qcom: camss: populate child platform devices

Call of_platform_populate() at the end of camss_probe() so that child
nodes of the CAMSS DT node are registered as platform devices and
probed via their own platform_driver.

Call of_platform_depopulate() at the start of camss_remove() to tear
down child devices before the parent unwinds its own resources.

Link: https://patchwork.linuxtv.org/project/linux-media/patch/20260326-b4-linux-next-25-03-13-dtsi-x1e80100-camss-v11-4-5b93415be6dd@linaro.org/

> diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c
> index 2123f6388e3d7..d2ecc79d5269f 100644
> --- a/drivers/media/platform/qcom/camss/camss.c
> +++ b/drivers/media/platform/qcom/camss/camss.c

[ ... ]

> @@ -5497,6 +5500,7 @@ static void camss_remove(struct platform_device *pdev)
>  {
>  	struct camss *camss = platform_get_drvdata(pdev);
>  
> +	of_platform_depopulate(&pdev->dev);
>  	v4l2_async_nf_unregister(&camss->notifier);
>  	v4l2_async_nf_cleanup(&camss->notifier);
>  	camss_unregister_entities(camss);

[Severity: High]
This is a pre-existing issue, but does camss_remove() lead to a use-after-free
if a userspace process holds the V4L2 video node open during unbind?

In camss_probe(), the camss structure and its sub-structures are allocated
using devm_kzalloc() and devm_kcalloc():

camss_probe() {
    ...
    camss = devm_kzalloc(dev, sizeof(*camss), GFP_KERNEL);
    ...
    camss->vfe = devm_kcalloc(dev, camss->res->vfe_num,
                              sizeof(*camss->vfe), GFP_KERNEL);
    ...
}

If the device is unbound while the video device is kept open by userspace,
camss_remove() checks atomic_read(&camss->ref_count). If the count is greater
than zero, it skips camss_delete() but still returns. The driver core then
automatically frees the devres-managed memory for the camss structure.

Later, when userspace closes the file descriptor, the V4L2 core invokes the
deferred msm_video_release() callback:

drivers/media/platform/qcom/camss/camss-video.c:msm_video_release() {
    struct camss_video *video = video_get_drvdata(vdev);

    media_entity_cleanup(&vdev->entity);

    mutex_destroy(&video->q_lock);
    mutex_destroy(&video->lock);

    if (atomic_dec_and_test(&video->camss->ref_count))
        camss_delete(video->camss);
}

Will this asynchronous callback access the already-freed video and
video->camss structures when trying to destroy the mutexes and decrement
the reference count?

Is it safe to use devm allocators for structures embedding V4L2 video devices,
or should their lifetimes be strictly tied to the V4L2 release callback?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629121750.3469292-1-atanas.filipov@oss.qualcomm.com?part=1

  reply	other threads:[~2026-06-29 12:30 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 12:17 [PATCH v3 0/4] Add Qualcomm JPEG V4L2 encoder for SM8250 Atanas Filipov
2026-06-29 12:17 ` [PATCH v3 1/4] media: qcom: camss: populate child platform devices Atanas Filipov
2026-06-29 12:30   ` sashiko-bot [this message]
2026-06-29 13:41   ` Vladimir Zapolskiy
2026-06-29 12:17 ` [PATCH v3 2/4] dt-bindings: media: qcom: Add JPEG encoder binding Atanas Filipov
2026-06-29 12:25   ` sashiko-bot
2026-06-29 12:58   ` Dmitry Baryshkov
2026-06-29 13:38   ` Vladimir Zapolskiy
2026-06-30 13:19     ` Bryan O'Donoghue
2026-06-30 13:32       ` Vladimir Zapolskiy
2026-06-30 20:24         ` Bryan O'Donoghue
2026-06-30 21:02           ` Vladimir Zapolskiy
2026-06-29 13:41   ` Rob Herring (Arm)
2026-06-29 12:17 ` [PATCH v3 3/4] arm64: dts: qcom: sm8250: Add JPEG encoder node Atanas Filipov
2026-06-29 12:34   ` sashiko-bot
2026-06-29 13:02   ` Dmitry Baryshkov
2026-06-29 12:17 ` [PATCH v3 4/4] media: qcom: jpeg: Add Qualcomm JPEG V4L2 encoder Atanas Filipov
2026-06-29 12:46   ` sashiko-bot
2026-06-29 13:48   ` Bryan O'Donoghue
2026-06-29 13:50     ` Bryan O'Donoghue
2026-06-30  9:13   ` Konrad Dybcio
2026-06-30 13:06   ` Dmitry Baryshkov
2026-06-30 14:14     ` Atanas Filipov
2026-07-01  0:13       ` Dmitry Baryshkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629123047.0FCA91F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=atanas.filipov@oss.qualcomm.com \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox