kernel_optimize_test/include/media
Hans Verkuil 5d0f6f5251 media: v4l2-ctrls: fix reference to freed memory
commit ac34b79da14d67a9b494f6125186becbd067e225 upstream.

When controls are used together with the Request API, then for
each request a v4l2_ctrl_handler struct is allocated. This contains
the controls that can be set in a request. If a control is *not* set in
the request, then the value used in the most recent previous request
must be used, or the current value if it is not found in any outstanding
requests.

The framework tried to find such a previous request and it would set
the 'req' pointer in struct v4l2_ctrl_ref to the v4l2_ctrl_ref of the
control in such a previous request. So far, so good. However, when that
previous request was applied to the hardware, returned to userspace, and
then userspace would re-init or free that request, any 'ref' pointer in
still-queued requests would suddenly point to freed memory.

This was not noticed before since the drivers that use this expected
that each request would always have the controls set, so there was
never any need to find a control in older requests. This requirement
was relaxed, and now this bug surfaced.

It was also made worse by changeset
2fae4d6aab ("media: v4l2-ctrls: v4l2_ctrl_request_complete() should always set ref->req")
which increased the chance of this happening.

The use of the 'req' pointer in v4l2_ctrl_ref was very fragile, so
drop this entirely. Instead add a valid_p_req bool to indicate that
p_req contains a valid value for this control. And if it is false,
then just use the current value of the control.

Note that VIDIOC_G_EXT_CTRLS will always return -EACCES when attempting
to get a control from a request until the request is completed. And in
that case, all controls in the request will have the control value set
(i.e. valid_p_req is true). This means that the whole 'find the most
recent previous request containing a control' idea is pointless, and
the code can be simplified considerably.

The v4l2_g_ext_ctrls_common() function was refactored a bit to make
it more understandable. It also avoids updating volatile controls
in a completed request since that was already done when the request
was completed.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: 2fae4d6aab ("media: v4l2-ctrls: v4l2_ctrl_request_complete() should always set ref->req")
Fixes: 6fa6f831f0 ("media: v4l2-ctrls: add core request support")
Cc: <stable@vger.kernel.org>      # for v5.9 and up
Tested-by: Alexandre Courbot <acourbot@chromium.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-05-11 14:47:39 +02:00
..
davinci media: davinci: replace http references with https 2020-07-19 07:54:47 +02:00
drv-intf ARM: s3c24xx: drop s3c-camif setup platform code 2020-08-19 20:57:32 +02:00
i2c media: smiapp: Move definitions under driver directory 2020-02-27 17:49:04 -03:00
tpg media: v4l2-tpg: Clamp hue in tpg_s_hue() 2020-08-26 18:51:34 +02:00
cec-notifier.h Update rmk's email address in various drivers 2020-04-21 17:50:09 +01:00
cec-pin.h media: cec-gpio: handle gpiod_get_value errors correctly 2020-04-29 12:04:38 +02:00
cec.h media: cec: no need to check return value of debugfs_create functions 2020-09-01 14:13:26 +02:00
demux.h media: dvb: update buffer mmaped flags and frame counter 2018-02-23 11:44:08 -05:00
dmxdev.h media: dmxdev: Fix the logic that enables DMA mmap support 2018-02-23 05:27:10 -05:00
dvb_ca_en50221.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_demux.h media: dvb: update buffer mmaped flags and frame counter 2018-02-23 11:44:08 -05:00
dvb_frontend.h media: dvb_frontend.h: Fix shifting signed 32-bit value problem 2019-08-14 05:04:08 -03:00
dvb_math.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_net.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_ringbuffer.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_vb2.h media: dvb: update buffer mmaped flags and frame counter 2018-02-23 11:44:08 -05:00
dvb-usb-ids.h media: dvb-usb: Add Cinergy S2 PCIe Dual Port support 2020-05-25 09:09:39 +02:00
dvbdev.h media: dvbdev.h: keep * together with the type 2020-07-19 14:26:25 +02:00
fwht-ctrls.h media: vicodec: Introducing stateless fwht defs and structs 2019-03-25 14:02:30 -04:00
h264-ctrls.h media: uapi: h264: Rename and clarify PPS_FLAG_SCALING_MATRIX_PRESENT 2020-09-01 14:13:28 +02:00
hevc-ctrls.h media: v4l: Add definitions for HEVC stateless decoding 2019-10-24 18:09:18 -03:00
imx.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
media-dev-allocator.h media: Media Device Allocator API 2019-04-22 11:18:26 -04:00
media-device.h media: media-device.h: drop duplicated word in comment 2020-07-19 14:00:07 +02:00
media-devnode.h media: media-devnode.h: drop duplicated word in comment 2020-07-19 14:00:12 +02:00
media-entity.h media: media-entity.h: drop duplicated word in comment 2020-07-19 14:00:21 +02:00
media-request.h media: media requests: return EBADR instead of EACCES 2019-03-25 13:26:10 -04:00
mpeg2-ctrls.h media: cedrus: identify buffers by timestamp 2019-01-07 13:20:54 -05:00
rc-core.h media: rc: harmonize infrared durations to microseconds 2020-09-03 16:18:55 +02:00
rc-map.h media: rc: compile rc-cec.c into rc-core 2021-03-17 17:06:20 +01:00
rcar-fcp.h media: rcar-fcp: convert to SPDX identifiers 2018-09-12 09:29:03 -04:00
tuner-types.h media: tuner-types: add kernel-doc markups for struct tunertype 2017-12-18 09:06:40 -05:00
tuner.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
tveeprom.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
v4l2-async.h media: v4l2-async: Document asd allocation requirements 2020-09-10 14:26:05 +02:00
v4l2-clk.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
v4l2-common.h media: vivid: Add support to the CSC API 2020-09-26 10:21:34 +02:00
v4l2-ctrls.h media: v4l2-ctrls: fix reference to freed memory 2021-05-11 14:47:39 +02:00
v4l2-dev.h media: v4l2-dev: Add v4l2_device_register_ro_subdev_node() 2020-05-12 17:04:07 +02:00
v4l2-device.h media: v4l2-dev: Add v4l2_device_register_ro_subdev_node() 2020-05-12 17:04:07 +02:00
v4l2-dv-timings.h media: cec/v4l2: move V4L2 specific CEC functions to V4L2 2018-09-24 09:11:04 -04:00
v4l2-event.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174 2019-05-30 11:26:41 -07:00
v4l2-fh.h media: v4l2-fh: define v4l2_fh struct regardless of condition 2020-04-21 13:40:06 +02:00
v4l2-flash-led-class.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
v4l2-fwnode.h media: v4l2-fwnode: v4l2_fwnode_endpoint_parse caller must init vep argument 2020-12-30 11:53:11 +01:00
v4l2-h264.h media: uapi: h264: Clean slice invariants syntax elements 2020-09-01 14:13:28 +02:00
v4l2-image-sizes.h media: v4l2-image-sizes: add HD and Full-HD definitions 2020-04-21 17:21:51 +02:00
v4l2-ioctl.h media: v4l2-core: fix v4l2_buffer handling for time64 ABI 2020-01-03 15:50:21 +01:00
v4l2-jpeg.h media: add v4l2 JPEG helpers 2020-04-14 11:47:47 +02:00
v4l2-mc.h media: v4l2: Correct kernel-doc inconsistency 2020-08-06 11:25:07 +02:00
v4l2-mediabus.h media: v4l2-fwnode: Return -EINVAL for invalid bus-type 2020-12-30 11:53:11 +01:00
v4l2-mem2mem.h media: v4l2-mem2mem: add v4l2_m2m_suspend, v4l2_m2m_resume 2020-08-28 15:20:40 +02:00
v4l2-rect.h media: v4l2-rect.h: add enclosed rectangle helper 2020-07-04 12:29:38 +02:00
v4l2-subdev.h media: v4l2-subdev.h: fix a kernel-doc markup 2020-09-30 18:50:20 +02:00
videobuf-core.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 237 2019-06-19 17:09:07 +02:00
videobuf-dma-contig.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 237 2019-06-19 17:09:07 +02:00
videobuf-dma-sg.h media: videobuf-dma-sg: number of pages should be unsigned long 2020-09-03 11:12:20 +02:00
videobuf-vmalloc.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 237 2019-06-19 17:09:07 +02:00
videobuf2-core.h media: media/v4l2: remove V4L2_FLAG_MEMORY_NON_CONSISTENT flag 2020-09-14 15:28:06 +02:00
videobuf2-dma-contig.h media: videobuf2-dma-contig: fix bad kfree in vb2_dma_contig_clear_max_seg_size 2020-06-11 19:20:55 +02:00
videobuf2-dma-sg.h media: Change Andrzej Pietrasiewicz's e-mail address 2019-01-16 11:21:07 -05:00
videobuf2-dvb.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
videobuf2-memops.h media: videobuf2-vmalloc: get_userptr: buffers are always writable 2019-05-29 08:05:58 -04:00
videobuf2-v4l2.h media: videobuf2-v4l2.c: add vb2_video_unregister_device helper function 2020-08-28 14:58:48 +02:00
videobuf2-vmalloc.h
vp8-ctrls.h media: uapi: new file needs types.h 2019-07-23 08:19:32 -04:00
vsp1.h media: vsp1: drm: Implement writeback support 2019-03-18 17:24:14 +02:00