lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <225bb9d1-1c50-411c-bb77-d336b1446dff@de.bosch.com>
Date: Tue, 1 Jul 2025 07:09:24 +0200
From: Dirk Behme <dirk.behme@...bosch.com>
To: Julien Massot <julien.massot@...labora.com>, <kernel@...labora.com>, "Jai
 Luthra" <jai.luthra@...ux.dev>, Mauro Carvalho Chehab <mchehab@...nel.org>,
	Pratyush Yadav <p.yadav@...com>, Tomi Valkeinen
	<tomi.valkeinen@...asonboard.com>, Sakari Ailus
	<sakari.ailus@...ux.intel.com>, Hans Verkuil <hverkuil@...all.nl>
CC: Vaishnav Achath <vaishnav.a@...com>, <linux-media@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>, Sjoerd Simons <sjoerd@...labora.com>
Subject: Re: [PATCH] media: ti: j721e-csi2rx: fix list_del corruption

On 30/06/2025 12:46, Julien Massot wrote:
> If ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is
> marked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue.
> This causes the same buffer to be retried in the next iteration, resulting in
> a double list_del() and eventual list corruption.
> 
> Fix this by removing the buffer from the queue before calling vb2_buffer_done()
> on error.
> 
> This resolves a crash due to list_del corruption:
> [   37.811243] j721e-csi2rx 30102000.ticsi2rx: Failed to queue the next buffer for DMA
> [   37.832187]  slab kmalloc-2k start ffff00000255b000 pointer offset 1064 size 2048
> [   37.839761] list_del corruption. next->prev should be ffff00000255bc28, but was ffff00000255d428. (next=ffff00000255b428)
> [   37.850799] ------------[ cut here ]------------
> [   37.855424] kernel BUG at lib/list_debug.c:65!
> [   37.859876] Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
> [   37.866061] Modules linked in: i2c_dev usb_f_rndis u_ether libcomposite dwc3 udc_core usb_common aes_ce_blk aes_ce_cipher ghash_ce gf128mul sha1_ce cpufreq_dt dwc3_am62 phy_gmii_sel sa2ul
> [   37.882830] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc3+ #28 VOLUNTARY
> [   37.890851] Hardware name: Bosch STLA-GSRV2-B0 (DT)
> [   37.895737] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> [   37.902703] pc : __list_del_entry_valid_or_report+0xdc/0x114
> [   37.908390] lr : __list_del_entry_valid_or_report+0xdc/0x114
> [   37.914059] sp : ffff800080003db0
> [   37.917375] x29: ffff800080003db0 x28: 0000000000000007 x27: ffff800080e50000
> [   37.924521] x26: 0000000000000000 x25: ffff0000016abb50 x24: dead000000000122
> [   37.931666] x23: ffff0000016abb78 x22: ffff0000016ab080 x21: ffff800080003de0
> [   37.938810] x20: ffff00000255bc00 x19: ffff00000255b800 x18: 000000000000000a
> [   37.945956] x17: 20747562202c3832 x16: 6362353532303030 x15: 0720072007200720
> [   37.953101] x14: 0720072007200720 x13: 0720072007200720 x12: 00000000ffffffea
> [   37.960248] x11: ffff800080003b18 x10: 00000000ffffefff x9 : ffff800080f5b568
> [   37.967396] x8 : ffff800080f5b5c0 x7 : 0000000000017fe8 x6 : c0000000ffffefff
> [   37.974542] x5 : ffff00000fea6688 x4 : 0000000000000000 x3 : 0000000000000000
> [   37.981686] x2 : 0000000000000000 x1 : ffff800080ef2b40 x0 : 000000000000006d
> [   37.988832] Call trace:
> [   37.991281]  __list_del_entry_valid_or_report+0xdc/0x114 (P)
> [   37.996959]  ti_csi2rx_dma_callback+0x84/0x1c4
> [   38.001419]  udma_vchan_complete+0x1e0/0x344
> [   38.005705]  tasklet_action_common+0x118/0x310
> [   38.010163]  tasklet_action+0x30/0x3c
> [   38.013832]  handle_softirqs+0x10c/0x2e0
> [   38.017761]  __do_softirq+0x14/0x20
> [   38.021256]  ____do_softirq+0x10/0x20
> [   38.024931]  call_on_irq_stack+0x24/0x60
> [   38.028873]  do_softirq_own_stack+0x1c/0x40
> [   38.033064]  __irq_exit_rcu+0x130/0x15c
> [   38.036909]  irq_exit_rcu+0x10/0x20
> [   38.040403]  el1_interrupt+0x38/0x60
> [   38.043987]  el1h_64_irq_handler+0x18/0x24
> [   38.048091]  el1h_64_irq+0x6c/0x70
> [   38.051501]  default_idle_call+0x34/0xe0 (P)
> [   38.055783]  do_idle+0x1f8/0x250
> [   38.059021]  cpu_startup_entry+0x34/0x3c
> [   38.062951]  rest_init+0xb4/0xc0
> [   38.066186]  console_on_rootfs+0x0/0x6c
> [   38.070031]  __primary_switched+0x88/0x90
> [   38.074059] Code: b00037e0 91378000 f9400462 97e9bf49 (d4210000)
> [   38.080168] ---[ end trace 0000000000000000 ]---
> [   38.084795] Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt
> [   38.092197] SMP: stopping secondary CPUs
> [   38.096139] Kernel Offset: disabled
> [   38.099631] CPU features: 0x0000,00002000,02000801,0400420b
> [   38.105202] Memory Limit: none
> [   38.108260] ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt ]---
> 
> Fixes: b4a3d877dc92 ("media: ti: Add CSI2RX support for J721E")
> Suggested-by: Sjoerd Simons <sjoerd@...labora.com>
> Signed-off-by: Sjoerd Simons <sjoerd@...labora.com>
> Signed-off-by: Julien Massot <julien.massot@...labora.com>


Tested-by: Dirk Behme <dirk.behme@...bosch.com>

Thanks!

Dirk


> ---
>  drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
> index 6412a00be8eab89548950dd21b3b3ec02dafa5b4..0e358759e35faac95d1520e14a75096375c806bb 100644
> --- a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
> +++ b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
> @@ -619,6 +619,7 @@ static void ti_csi2rx_dma_callback(void *param)
>  
>  		if (ti_csi2rx_start_dma(csi, buf)) {
>  			dev_err(csi->dev, "Failed to queue the next buffer for DMA\n");
> +			list_del(&buf->list);
>  			vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR);
>  		} else {
>  			list_move_tail(&buf->list, &dma->submitted);
> 
> ---
> base-commit: 1343433ed38923a21425c602e92120a1f1db5f7a
> change-id: 20250630-j721e-dma-fixup-5b4f9678b7a6
> 
> Best regards,


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ