vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Add a vb2_verify_memory_type() check symmetrical to vb2_ioctl_create_bufs() to forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.
CC: stable@vger.kernel.org Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl") Reported-by: Shuangpeng BaiSJB7183@psu.edu Suggested-by: Benjamin Gaignard benjamin.gaignard@collabora.com Signed-off-by: Marek Szyprowski m.szyprowski@samsung.com --- v2: - dropped a change to vb2_ioctl_create_bufs(), as it is already handled by the vb2_verify_memory_type() call - replaced queue->type check in vb2_ioctl_remove_bufs() by a call to vb2_verify_memory_type() which covers all cases
v1: https://lore.kernel.org/all/20251016111154.993949-1-m.szyprowski@samsung.com... --- drivers/media/common/videobuf2/videobuf2-v4l2.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c index d911021c1bb0..0de7490292fe 100644 --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c @@ -1000,9 +1000,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv, struct v4l2_remove_buffers *d) { struct video_device *vdev = video_devdata(file); + int res;
- if (vdev->queue->type != d->type) - return -EINVAL; + res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type); + if (res) + return res;
if (d->count == 0) return 0;
Le 20/10/2025 à 18:01, Marek Szyprowski a écrit :
vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Add a vb2_verify_memory_type() check symmetrical to vb2_ioctl_create_bufs() to forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.
CC: stable@vger.kernel.org Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl") Reported-by: Shuangpeng BaiSJB7183@psu.edu Suggested-by: Benjamin Gaignard benjamin.gaignard@collabora.com Signed-off-by: Marek Szyprowski m.szyprowski@samsung.com
Thanks for the patch.
Reviewed-by: Benjamin Gaignard benjamin.gaignard@collabora.com
v2:
- dropped a change to vb2_ioctl_create_bufs(), as it is already handled by the vb2_verify_memory_type() call
- replaced queue->type check in vb2_ioctl_remove_bufs() by a call to vb2_verify_memory_type() which covers all cases
v1: https://lore.kernel.org/all/20251016111154.993949-1-m.szyprowski@samsung.com...
drivers/media/common/videobuf2/videobuf2-v4l2.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c index d911021c1bb0..0de7490292fe 100644 --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c @@ -1000,9 +1000,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv, struct v4l2_remove_buffers *d) { struct video_device *vdev = video_devdata(file);
- int res;
- if (vdev->queue->type != d->type)
return -EINVAL;
- res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type);
- if (res)
return res;if (d->count == 0) return 0;
Hi Marek,
On 20/10/2025 18:01, Marek Szyprowski wrote:
vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Add a vb2_verify_memory_type() check symmetrical to vb2_ioctl_create_bufs() to forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.
CC: stable@vger.kernel.org Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl") Reported-by: Shuangpeng BaiSJB7183@psu.edu Suggested-by: Benjamin Gaignard benjamin.gaignard@collabora.com Signed-off-by: Marek Szyprowski m.szyprowski@samsung.com
I'll pick this up as a fix for v6.18. I think this is important enough to not wait for v6.19.
Regards,
Hans
v2:
- dropped a change to vb2_ioctl_create_bufs(), as it is already handled by the vb2_verify_memory_type() call
- replaced queue->type check in vb2_ioctl_remove_bufs() by a call to vb2_verify_memory_type() which covers all cases
v1: https://lore.kernel.org/all/20251016111154.993949-1-m.szyprowski@samsung.com...
drivers/media/common/videobuf2/videobuf2-v4l2.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c index d911021c1bb0..0de7490292fe 100644 --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c @@ -1000,9 +1000,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv, struct v4l2_remove_buffers *d) { struct video_device *vdev = video_devdata(file);
- int res;
- if (vdev->queue->type != d->type)
return -EINVAL;
- res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type);
- if (res)
return res;if (d->count == 0) return 0;
On 21/10/2025 11:56, Hans Verkuil wrote:
Hi Marek,
On 20/10/2025 18:01, Marek Szyprowski wrote:
vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Add a vb2_verify_memory_type() check symmetrical to vb2_ioctl_create_bufs() to forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.
CC: stable@vger.kernel.org Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl") Reported-by: Shuangpeng BaiSJB7183@psu.edu Suggested-by: Benjamin Gaignard benjamin.gaignard@collabora.com Signed-off-by: Marek Szyprowski m.szyprowski@samsung.com
I'll pick this up as a fix for v6.18. I think this is important enough to not wait for v6.19.
Hmm, it's failing on v4l2-compliance. I'm debugging to see whether it is a kernel or v4l2-compliance problem.
Regards,
Hans
Regards,
Hans
v2:
- dropped a change to vb2_ioctl_create_bufs(), as it is already handled by the vb2_verify_memory_type() call
- replaced queue->type check in vb2_ioctl_remove_bufs() by a call to vb2_verify_memory_type() which covers all cases
v1: https://lore.kernel.org/all/20251016111154.993949-1-m.szyprowski@samsung.com...
drivers/media/common/videobuf2/videobuf2-v4l2.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c index d911021c1bb0..0de7490292fe 100644 --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c @@ -1000,9 +1000,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv, struct v4l2_remove_buffers *d) { struct video_device *vdev = video_devdata(file);
- int res;
- if (vdev->queue->type != d->type)
return -EINVAL;
- res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type);
- if (res)
return res;if (d->count == 0) return 0;
On 23/10/2025 11:01, Hans Verkuil wrote:
On 21/10/2025 11:56, Hans Verkuil wrote:
Hi Marek,
On 20/10/2025 18:01, Marek Szyprowski wrote:
vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Add a vb2_verify_memory_type() check symmetrical to vb2_ioctl_create_bufs() to forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.
CC: stable@vger.kernel.org Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl") Reported-by: Shuangpeng BaiSJB7183@psu.edu Suggested-by: Benjamin Gaignard benjamin.gaignard@collabora.com Signed-off-by: Marek Szyprowski m.szyprowski@samsung.com
I'll pick this up as a fix for v6.18. I think this is important enough to not wait for v6.19.
Hmm, it's failing on v4l2-compliance. I'm debugging to see whether it is a kernel or v4l2-compliance problem.
Regards,
Hans
Regards,
Hans
v2:
- dropped a change to vb2_ioctl_create_bufs(), as it is already handled by the vb2_verify_memory_type() call
- replaced queue->type check in vb2_ioctl_remove_bufs() by a call to vb2_verify_memory_type() which covers all cases
v1: https://lore.kernel.org/all/20251016111154.993949-1-m.szyprowski@samsung.com...
drivers/media/common/videobuf2/videobuf2-v4l2.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c index d911021c1bb0..0de7490292fe 100644 --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c @@ -1000,9 +1000,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv, struct v4l2_remove_buffers *d) { struct video_device *vdev = video_devdata(file);
- int res;
- if (vdev->queue->type != d->type)
return -EINVAL;
- res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type);
- if (res)
return res;if (d->count == 0) return 0;
This is the problem. For the corner case where d->count == 0 it can be that vdev->queue->memory is VB2_MEMORY_UNKNOWN (that happens if no buffers were ever queued). But it should still return 0 in that case. Also the fileio test doesn't apply in that case, but that's not tested in v4l2-compliance.
I suggest this:
if (d->count == 0) return d->type == vdev->queue->type ? 0 : -EINVAL;
res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type); if (res) return res;
I tested this and it passes v4l2-compliance.
Marek, can you post a v3?
Thank you,
Hans
linux-stable-mirror@lists.linaro.org
-
Benjamin Gaignard -
Hans Verkuil -
Marek Szyprowski