1. Patchew
  2. linux
  3. View series

[PATCH v2] media: videobuf2: forbid remove_bufs when legacy fileio is active

Marek Szyprowski posted 1 patch 3 months, 2 weeks ago
There is a newer version of this series
drivers/media/common/videobuf2/videobuf2-v4l2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
[PATCH v2] media: videobuf2: forbid remove_bufs when legacy fileio is active
Posted by Marek Szyprowski 3 months, 2 weeks ago 
vb2_ioctl_remove_bufs() call manipulates queue internal buffer list,
potentially overwriting some pointers used by the legacy fileio access
mode. Add a vb2_verify_memory_type() check symmetrical to
vb2_ioctl_create_bufs() to forbid that ioctl when fileio is active to
protect internal queue state between subsequent read/write calls.

CC: stable@vger.kernel.org
Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl")
Reported-by: Shuangpeng Bai<SJB7183@psu.edu>
Suggested-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
---
v2:
- dropped a change to vb2_ioctl_create_bufs(), as it is already handled
  by the vb2_verify_memory_type() call
- replaced queue->type check in vb2_ioctl_remove_bufs() by a call to
  vb2_verify_memory_type() which covers all cases

v1: https://lore.kernel.org/all/20251016111154.993949-1-m.szyprowski@samsung.com/
---
 drivers/media/common/videobuf2/videobuf2-v4l2.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c
index d911021c1bb0..0de7490292fe 100644
--- a/drivers/media/common/videobuf2/videobuf2-v4l2.c
+++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c
@@ -1000,9 +1000,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv,
 			  struct v4l2_remove_buffers *d)
 {
 	struct video_device *vdev = video_devdata(file);
+	int res;
 
-	if (vdev->queue->type != d->type)
-		return -EINVAL;
+	res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type);
+	if (res)
+		return res;
 
 	if (d->count == 0)
 		return 0;
-- 
2.34.1
Re: [PATCH v2] media: videobuf2: forbid remove_bufs when legacy fileio is active
Posted by Hans Verkuil 3 months, 2 weeks ago 
Hi Marek,

On 20/10/2025 18:01, Marek Szyprowski wrote:
> vb2_ioctl_remove_bufs() call manipulates queue internal buffer list,
> potentially overwriting some pointers used by the legacy fileio access
> mode. Add a vb2_verify_memory_type() check symmetrical to
> vb2_ioctl_create_bufs() to forbid that ioctl when fileio is active to
> protect internal queue state between subsequent read/write calls.
> 
> CC: stable@vger.kernel.org
> Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl")
> Reported-by: Shuangpeng Bai<SJB7183@psu.edu>
> Suggested-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>

I'll pick this up as a fix for v6.18. I think this is important enough to
not wait for v6.19.

Regards,

	Hans

> ---
> v2:
> - dropped a change to vb2_ioctl_create_bufs(), as it is already handled
>   by the vb2_verify_memory_type() call
> - replaced queue->type check in vb2_ioctl_remove_bufs() by a call to
>   vb2_verify_memory_type() which covers all cases
> 
> v1: https://lore.kernel.org/all/20251016111154.993949-1-m.szyprowski@samsung.com/
> ---
>  drivers/media/common/videobuf2/videobuf2-v4l2.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c
> index d911021c1bb0..0de7490292fe 100644
> --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c
> +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c
> @@ -1000,9 +1000,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv,
>  			  struct v4l2_remove_buffers *d)
>  {
>  	struct video_device *vdev = video_devdata(file);
> +	int res;
>  
> -	if (vdev->queue->type != d->type)
> -		return -EINVAL;
> +	res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type);
> +	if (res)
> +		return res;
>  
>  	if (d->count == 0)
>  		return 0;
Re: [PATCH v2] media: videobuf2: forbid remove_bufs when legacy fileio is active
Posted by Hans Verkuil 3 months, 2 weeks ago 
On 21/10/2025 11:56, Hans Verkuil wrote:
> Hi Marek,
> 
> On 20/10/2025 18:01, Marek Szyprowski wrote:
>> vb2_ioctl_remove_bufs() call manipulates queue internal buffer list,
>> potentially overwriting some pointers used by the legacy fileio access
>> mode. Add a vb2_verify_memory_type() check symmetrical to
>> vb2_ioctl_create_bufs() to forbid that ioctl when fileio is active to
>> protect internal queue state between subsequent read/write calls.
>>
>> CC: stable@vger.kernel.org
>> Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl")
>> Reported-by: Shuangpeng Bai<SJB7183@psu.edu>
>> Suggested-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
>> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
> 
> I'll pick this up as a fix for v6.18. I think this is important enough to
> not wait for v6.19.

Hmm, it's failing on v4l2-compliance. I'm debugging to see whether it is a
kernel or v4l2-compliance problem.

Regards,

	Hans

> 
> Regards,
> 
> 	Hans
> 
>> ---
>> v2:
>> - dropped a change to vb2_ioctl_create_bufs(), as it is already handled
>>   by the vb2_verify_memory_type() call
>> - replaced queue->type check in vb2_ioctl_remove_bufs() by a call to
>>   vb2_verify_memory_type() which covers all cases
>>
>> v1: https://lore.kernel.org/all/20251016111154.993949-1-m.szyprowski@samsung.com/
>> ---
>>  drivers/media/common/videobuf2/videobuf2-v4l2.c | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c
>> index d911021c1bb0..0de7490292fe 100644
>> --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c
>> +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c
>> @@ -1000,9 +1000,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv,
>>  			  struct v4l2_remove_buffers *d)
>>  {
>>  	struct video_device *vdev = video_devdata(file);
>> +	int res;
>>  
>> -	if (vdev->queue->type != d->type)
>> -		return -EINVAL;
>> +	res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type);
>> +	if (res)
>> +		return res;
>>  
>>  	if (d->count == 0)
>>  		return 0;
> 
>
Re: [PATCH v2] media: videobuf2: forbid remove_bufs when legacy fileio is active
Posted by Hans Verkuil 3 months, 2 weeks ago 
On 23/10/2025 11:01, Hans Verkuil wrote:
> On 21/10/2025 11:56, Hans Verkuil wrote:
>> Hi Marek,
>>
>> On 20/10/2025 18:01, Marek Szyprowski wrote:
>>> vb2_ioctl_remove_bufs() call manipulates queue internal buffer list,
>>> potentially overwriting some pointers used by the legacy fileio access
>>> mode. Add a vb2_verify_memory_type() check symmetrical to
>>> vb2_ioctl_create_bufs() to forbid that ioctl when fileio is active to
>>> protect internal queue state between subsequent read/write calls.
>>>
>>> CC: stable@vger.kernel.org
>>> Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl")
>>> Reported-by: Shuangpeng Bai<SJB7183@psu.edu>
>>> Suggested-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
>>> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
>>
>> I'll pick this up as a fix for v6.18. I think this is important enough to
>> not wait for v6.19.
> 
> Hmm, it's failing on v4l2-compliance. I'm debugging to see whether it is a
> kernel or v4l2-compliance problem.
> 
> Regards,
> 
> 	Hans
> 
>>
>> Regards,
>>
>> 	Hans
>>
>>> ---
>>> v2:
>>> - dropped a change to vb2_ioctl_create_bufs(), as it is already handled
>>>   by the vb2_verify_memory_type() call
>>> - replaced queue->type check in vb2_ioctl_remove_bufs() by a call to
>>>   vb2_verify_memory_type() which covers all cases
>>>
>>> v1: https://lore.kernel.org/all/20251016111154.993949-1-m.szyprowski@samsung.com/
>>> ---
>>>  drivers/media/common/videobuf2/videobuf2-v4l2.c | 6 ++++--
>>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c
>>> index d911021c1bb0..0de7490292fe 100644
>>> --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c
>>> +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c
>>> @@ -1000,9 +1000,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv,
>>>  			  struct v4l2_remove_buffers *d)
>>>  {
>>>  	struct video_device *vdev = video_devdata(file);
>>> +	int res;
>>>  
>>> -	if (vdev->queue->type != d->type)
>>> -		return -EINVAL;
>>> +	res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type);
>>> +	if (res)
>>> +		return res;
>>>  
>>>  	if (d->count == 0)
>>>  		return 0;

This is the problem. For the corner case where d->count == 0 it can be that
vdev->queue->memory is VB2_MEMORY_UNKNOWN (that happens if no buffers were ever
queued). But it should still return 0 in that case. Also the fileio test doesn't
apply in that case, but that's not tested in v4l2-compliance.

I suggest this:

	if (d->count == 0)
		return d->type == vdev->queue->type ? 0 : -EINVAL;

	res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type);
	if (res)
		return res;

I tested this and it passes v4l2-compliance.

Marek, can you post a v3?

Thank you,

	Hans

>>
>>
> 
>
Re: [PATCH v2] media: videobuf2: forbid remove_bufs when legacy fileio is active
Posted by Benjamin Gaignard 3 months, 2 weeks ago 
Le 20/10/2025 à 18:01, Marek Szyprowski a écrit :
> vb2_ioctl_remove_bufs() call manipulates queue internal buffer list,
> potentially overwriting some pointers used by the legacy fileio access
> mode. Add a vb2_verify_memory_type() check symmetrical to
> vb2_ioctl_create_bufs() to forbid that ioctl when fileio is active to
> protect internal queue state between subsequent read/write calls.
>
> CC: stable@vger.kernel.org
> Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl")
> Reported-by: Shuangpeng Bai<SJB7183@psu.edu>
> Suggested-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>

Thanks for the patch.

Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>

> ---
> v2:
> - dropped a change to vb2_ioctl_create_bufs(), as it is already handled
>    by the vb2_verify_memory_type() call
> - replaced queue->type check in vb2_ioctl_remove_bufs() by a call to
>    vb2_verify_memory_type() which covers all cases
>
> v1: https://lore.kernel.org/all/20251016111154.993949-1-m.szyprowski@samsung.com/
> ---
>   drivers/media/common/videobuf2/videobuf2-v4l2.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c
> index d911021c1bb0..0de7490292fe 100644
> --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c
> +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c
> @@ -1000,9 +1000,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv,
>   			  struct v4l2_remove_buffers *d)
>   {
>   	struct video_device *vdev = video_devdata(file);
> +	int res;
>   
> -	if (vdev->queue->type != d->type)
> -		return -EINVAL;
> +	res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type);
> +	if (res)
> +		return res;
>   
>   	if (d->count == 0)
>   		return 0;

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.