| Message ID | 20210915120240.21572-2-p.yadav@ti.com |
|---|---|
| State | New |
| Headers | show |
| Series | CSI2RX support on J721E | expand |
Hi Pratyush, Thank you for the patch. On Wed, Sep 15, 2021 at 05:32:30PM +0530, Pratyush Yadav wrote: > The notifier is added to the global notifier list when registered. When > the module is removed, the struct csi2rx_priv in which the notifier is > embedded, is destroyed. As a result the notifier list has a reference to > a notifier that no longer exists. This causes invalid memory accesses > when the list is iterated over. Similar for when the probe fails. > > Unregister and clean up the notifier to avoid this. > > Fixes: 1fc3b37f34f6 ("media: v4l: cadence: Add Cadence MIPI-CSI2 RX driver") > Signed-off-by: Pratyush Yadav <p.yadav@ti.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Note that there are other issues in the driver in cleanup paths, in particular a missing v4l2_async_notifier_cleanup() call in csi2rx_parse_dt() when v4l2_async_notifier_add_fwnode_remote_subdev() fails (moving the one from the other error path to an err label would be best), and missing media_entity_cleanup() calls in both the probe error path and the remove handler. Would you like to submit fixes for those ? > --- > > (no changes since v3) > > Changes in v3: > - New in v3. > > drivers/media/platform/cadence/cdns-csi2rx.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/media/platform/cadence/cdns-csi2rx.c b/drivers/media/platform/cadence/cdns-csi2rx.c > index 7b44ab2b8c9a..d60975f905d6 100644 > --- a/drivers/media/platform/cadence/cdns-csi2rx.c > +++ b/drivers/media/platform/cadence/cdns-csi2rx.c > @@ -469,6 +469,7 @@ static int csi2rx_probe(struct platform_device *pdev) > return 0; > > err_cleanup: > + v4l2_async_nf_unregister(&csi2rx->notifier); > v4l2_async_nf_cleanup(&csi2rx->notifier); > err_free_priv: > kfree(csi2rx); > @@ -479,6 +480,8 @@ static int csi2rx_remove(struct platform_device *pdev) > { > struct csi2rx_priv *csi2rx = platform_get_drvdata(pdev); > > + v4l2_async_nf_unregister(&csi2rx->notifier); > + v4l2_async_nf_cleanup(&csi2rx->notifier); > v4l2_async_unregister_subdev(&csi2rx->subdev); > kfree(csi2rx); > -- Regards, Laurent Pinchart
On 07/10/21 02:31AM, Laurent Pinchart wrote: > Hi Pratyush, > > Thank you for the patch. > > On Wed, Sep 15, 2021 at 05:32:30PM +0530, Pratyush Yadav wrote: > > The notifier is added to the global notifier list when registered. When > > the module is removed, the struct csi2rx_priv in which the notifier is > > embedded, is destroyed. As a result the notifier list has a reference to > > a notifier that no longer exists. This causes invalid memory accesses > > when the list is iterated over. Similar for when the probe fails. > > > > Unregister and clean up the notifier to avoid this. > > > > Fixes: 1fc3b37f34f6 ("media: v4l: cadence: Add Cadence MIPI-CSI2 RX driver") > > Signed-off-by: Pratyush Yadav <p.yadav@ti.com> > > Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > Note that there are other issues in the driver in cleanup paths, in > particular a missing v4l2_async_notifier_cleanup() call in > csi2rx_parse_dt() when v4l2_async_notifier_add_fwnode_remote_subdev() > fails (moving the one from the other error path to an err label would be > best), and missing media_entity_cleanup() calls in both the probe error > path and the remove handler. Would you like to submit fixes for those ? Sure, will do. > > > --- > > > > (no changes since v3) > > > > Changes in v3: > > - New in v3. > > > > drivers/media/platform/cadence/cdns-csi2rx.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/drivers/media/platform/cadence/cdns-csi2rx.c b/drivers/media/platform/cadence/cdns-csi2rx.c > > index 7b44ab2b8c9a..d60975f905d6 100644 > > --- a/drivers/media/platform/cadence/cdns-csi2rx.c > > +++ b/drivers/media/platform/cadence/cdns-csi2rx.c > > @@ -469,6 +469,7 @@ static int csi2rx_probe(struct platform_device *pdev) > > return 0; > > > > err_cleanup: > > + v4l2_async_nf_unregister(&csi2rx->notifier); > > v4l2_async_nf_cleanup(&csi2rx->notifier); > > err_free_priv: > > kfree(csi2rx); > > @@ -479,6 +480,8 @@ static int csi2rx_remove(struct platform_device *pdev) > > { > > struct csi2rx_priv *csi2rx = platform_get_drvdata(pdev); > > > > + v4l2_async_nf_unregister(&csi2rx->notifier); > > + v4l2_async_nf_cleanup(&csi2rx->notifier); > > v4l2_async_unregister_subdev(&csi2rx->subdev); > > kfree(csi2rx); > > > > -- > Regards, > > Laurent Pinchart -- Regards, Pratyush Yadav Texas Instruments Inc.
diff --git a/drivers/media/platform/cadence/cdns-csi2rx.c b/drivers/media/platform/cadence/cdns-csi2rx.c index 7b44ab2b8c9a..d60975f905d6 100644 --- a/drivers/media/platform/cadence/cdns-csi2rx.c +++ b/drivers/media/platform/cadence/cdns-csi2rx.c @@ -469,6 +469,7 @@ static int csi2rx_probe(struct platform_device *pdev) return 0; err_cleanup: + v4l2_async_nf_unregister(&csi2rx->notifier); v4l2_async_nf_cleanup(&csi2rx->notifier); err_free_priv: kfree(csi2rx); @@ -479,6 +480,8 @@ static int csi2rx_remove(struct platform_device *pdev) { struct csi2rx_priv *csi2rx = platform_get_drvdata(pdev); + v4l2_async_nf_unregister(&csi2rx->notifier); + v4l2_async_nf_cleanup(&csi2rx->notifier); v4l2_async_unregister_subdev(&csi2rx->subdev); kfree(csi2rx);
The notifier is added to the global notifier list when registered. When the module is removed, the struct csi2rx_priv in which the notifier is embedded, is destroyed. As a result the notifier list has a reference to a notifier that no longer exists. This causes invalid memory accesses when the list is iterated over. Similar for when the probe fails. Unregister and clean up the notifier to avoid this. Fixes: 1fc3b37f34f6 ("media: v4l: cadence: Add Cadence MIPI-CSI2 RX driver") Signed-off-by: Pratyush Yadav <p.yadav@ti.com> --- (no changes since v3) Changes in v3: - New in v3. drivers/media/platform/cadence/cdns-csi2rx.c | 3 +++ 1 file changed, 3 insertions(+)