lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20251016111154.993949-1-m.szyprowski@samsung.com>
Date: Thu, 16 Oct 2025 13:11:54 +0200
From: Marek Szyprowski <m.szyprowski@...sung.com>
To: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: Marek Szyprowski <m.szyprowski@...sung.com>, Tomasz Figa
	<tfiga@...omium.org>, Mauro Carvalho Chehab <mchehab@...nel.org>, Guennadi
	Liakhovetski <g.liakhovetski@....de>, Benjamin Gaignard
	<benjamin.gaignard@...labora.com>, Hans Verkuil <hverkuil@...nel.org>,
	stable@...r.kernel.org
Subject: [PATCH] media: videobuf2: forbid create_bufs/remove_bufs when
 legacy fileio is active

create_bufs and remove_bufs ioctl calls manipulate queue internal buffer
list, potentially overwriting some pointers used by the legacy fileio
access mode. Simply forbid those calls when fileio is active to protect
internal queue state between subsequent read/write calls.

CC: stable@...r.kernel.org
Fixes: 2d86401c2cbf ("[media] V4L: vb2: add support for buffers of different sizes on a single queue")
Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl")
Signed-off-by: Marek Szyprowski <m.szyprowski@...sung.com>
---
 drivers/media/common/videobuf2/videobuf2-v4l2.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c
index d911021c1bb0..f4104d5971dd 100644
--- a/drivers/media/common/videobuf2/videobuf2-v4l2.c
+++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c
@@ -751,6 +751,11 @@ int vb2_create_bufs(struct vb2_queue *q, struct v4l2_create_buffers *create)
 	int ret = vb2_verify_memory_type(q, create->memory, f->type);
 	unsigned i;
 
+	if (vb2_fileio_is_active(q)) {
+		dprintk(q, 1, "file io in progress\n");
+		return -EBUSY;
+	}
+
 	create->index = vb2_get_num_buffers(q);
 	vb2_set_flags_and_caps(q, create->memory, &create->flags,
 			       &create->capabilities, &create->max_num_buffers);
@@ -1010,6 +1015,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv,
 	if (vb2_queue_is_busy(vdev->queue, file))
 		return -EBUSY;
 
+	if (vb2_fileio_is_active(vdev->queue)) {
+		dprintk(vdev->queue, 1, "file io in progress\n");
+		return -EBUSY;
+	}
+
 	return vb2_core_remove_bufs(vdev->queue, d->index, d->count);
 }
 EXPORT_SYMBOL_GPL(vb2_ioctl_remove_bufs);
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ