lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20251023142634.1642093-1-m.szyprowski@samsung.com>
Date: Thu, 23 Oct 2025 16:26:34 +0200
From: Marek Szyprowski <m.szyprowski@...sung.com>
To: linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: Marek Szyprowski <m.szyprowski@...sung.com>, Tomasz Figa
	<tfiga@...omium.org>, Mauro Carvalho Chehab <mchehab@...nel.org>, Guennadi
	Liakhovetski <g.liakhovetski@....de>, Benjamin Gaignard
	<benjamin.gaignard@...labora.com>, Hans Verkuil <hverkuil@...nel.org>,
	stable@...r.kernel.org, Shuangpeng Bai <SJB7183@....edu>
Subject: [PATCH v4] media: videobuf2: forbid remove_bufs when legacy fileio
 is active

vb2_ioctl_remove_bufs() call manipulates queue internal buffer list,
potentially overwriting some pointers used by the legacy fileio access
mode. Forbid that ioctl when fileio is active to protect internal queue
state between subsequent read/write calls.

CC: stable@...r.kernel.org
Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl")
Reported-by: Shuangpeng Bai <SJB7183@....edu>
Signed-off-by: Marek Szyprowski <m.szyprowski@...sung.com>
---
v4:
- got back to simple vb2_fileio_is_active() check as in v1, as relying on
  vb2_verify_memory_type() misses some corner cases important to v4l2
  compliance

v3: https://lore.kernel.org/all/20251023113052.1303082-1-m.szyprowski@samsung.com/
- moved vb2_verify_memory_type() check after (d->count == 0) check to pass v4l2
 compliance

v2: https://lore.kernel.org/all/20251020160121.1985354-1-m.szyprowski@samsung.com/
- dropped a change to vb2_ioctl_create_bufs(), as it is already handled
  by the vb2_verify_memory_type() call
- replaced queue->type check in vb2_ioctl_remove_bufs() by a call to
  vb2_verify_memory_type() which covers all cases

v1: https://lore.kernel.org/all/20251016111154.993949-1-m.szyprowski@samsung.com/
---
 drivers/media/common/videobuf2/videobuf2-v4l2.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c
index d911021c1bb0..83862d57b126 100644
--- a/drivers/media/common/videobuf2/videobuf2-v4l2.c
+++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c
@@ -1010,6 +1010,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv,
 	if (vb2_queue_is_busy(vdev->queue, file))
 		return -EBUSY;
 
+	if (vb2_fileio_is_active(vdev->queue)) {
+		dprintk(vdev->queue, 1, "file io in progress\n");
+		return -EBUSY;
+	}
+
 	return vb2_core_remove_bufs(vdev->queue, d->index, d->count);
 }
 EXPORT_SYMBOL_GPL(vb2_ioctl_remove_bufs);
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ