| Message ID | d0fdfb94b56871e757812bfb7aa58e83f7215903.1778518085.git.vebohr@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-sunxi+bounces-23262-sunxi=pue.re@lists.linux.dev>
X-Original-To: noreply@patchwork.local
Delivered-To: noreply@patchwork.local
Received: from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74])
by mxe881.netcup.net (Postfix) with ESMTPS id 3F6C61C024C
for <noreply@patchwork.local>; Mon, 11 May 2026 19:13:37 +0200 (CEST)
Authentication-Results: mxe881;
dkim=pass header.d=gmail.com;
spf=pass (sender IP is 172.232.135.74)
smtp.mailfrom=linux-sunxi+bounces-23262-noreply=patchwork.local@lists.linux.dev
smtp.helo=sto.lore.kernel.org
Received-SPF: pass (mxe881: domain of lists.linux.dev designates
172.232.135.74 as permitted sender) client-ip=172.232.135.74;
envelope-from=linux-sunxi+bounces-23262-noreply=patchwork.local@lists.linux.dev;
helo=sto.lore.kernel.org;
Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org
[100.90.174.1])
by sto.lore.kernel.org (Postfix) with ESMTP id 312B430229C3
for <noreply@patchwork.local>; Mon, 11 May 2026 17:12:52 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 7384045348D;
Mon, 11 May 2026 17:12:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b="sXmiNaWJ"
X-Original-To: linux-sunxi@lists.linux.dev
Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com
[209.85.167.48])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 86219441036
for <linux-sunxi@lists.linux.dev>; Mon, 11 May 2026 17:12:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=209.85.167.48
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1778519543; cv=none;
b=bVLIia7d14wBe52XwkttFlSoUftEG1tm6zKFcerDweyqTwP7Yh0L+b5vSP8lNC6e8JBiza/OWlVv5Wbpv46l5hVN4krWc4XtYdgciFO2XJD1noZGi2332I36amjgLQgrOOGJNA8tf8FPlVD7yxJ3O5X3vkF15JFcri08b31qtRI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1778519543; c=relaxed/simple;
bh=Pm0arqbEMJSuzVfu2XbHYEXxhnKaEaOHkvubnY5Jb24=;
h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
MIME-Version;
b=PwVP/SFlSbq/7mPV2JIXKoCT+WwbKvuz29PZ7X9xjBMIUav6wjmW9NLSNELXhcIPOe8VKuVrvlxErtzX6HOrKatcSqTps/UBt8+xECI+nUjmFO7aJduQVPDJQE01MFmHLMUSDtiouCI7Ae7Cjn5PT1xOCbLMzvmGy3U5IOhFzzA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=gmail.com;
spf=pass smtp.mailfrom=gmail.com;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.b=sXmiNaWJ; arc=none smtp.client-ip=209.85.167.48
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=gmail.com
Received: by mail-lf1-f48.google.com with SMTP id
2adb3069b0e04-5a887ebb416so4275852e87.2
for <linux-sunxi@lists.linux.dev>;
Mon, 11 May 2026 10:12:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20251104; t=1778519540; x=1779124340;
darn=lists.linux.dev;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=JH+u+xhzUiMSlilufXXl7nt5EV8IiDoOquYIB5049q8=;
b=sXmiNaWJvQJ83LigbdfhczvdMhPK9fyDTsK8kzkpFOm8LjMs4gjnj+m0EraoRZub3b
ETrN3ox6a7hCuzpzC++7tST7Lu8e8Fo2cAU49JCm1CVlwH77/5vKjxfTFbmr4MPHs7BX
GsE/iC4pRAb/90RCtTIdHsz6xSl50vDQdYeX48P0aSOAv77BkJd1hmcN11Z2CBoAGpky
sJveFxP8ziwS7uRyuQaVy5/la1fINiOWEiUMQDxVx65YO3+H/I4BuCNTFwcqzEGJ8dEn
XJhYLPZztPf1ZtAVnWl630hThTO1CnEVr2iOjRKkyWe1L3JMKXjcjFGAxXUJTZTm5IZs
p6bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20251104; t=1778519540; x=1779124340;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
:to:cc:subject:date:message-id:reply-to;
bh=JH+u+xhzUiMSlilufXXl7nt5EV8IiDoOquYIB5049q8=;
b=FKFIMx4YwuzWgbpRYM9cvvyD5vD2HwxAtIkTJ/jGp1NRWROiLsvhjDUmMOxtCmbjP6
xgnDDx/sozTAdYi/TSR2mtp8JP5myFxBnTkG881lEI6PMro4h2tPD8PoyU720V8kvoqv
Mvyae2KkBD7M6fi/SCuV0TXQ4/Z6CrdANBTiMoOM5WYV7w2hD3pwzdoyPA05vtoZ1+61
BIKRHtkhOxMwkm4Vjlf46Rz+c2+1jo9KK4IkarKipdfVhnY2zWRgYMKtPjBHk+MwqVsj
oIsy9hzfcmHQ1yzGgY7IJeKKfasgXYjuqBSzzuYaF+ZzH9UXDno6NUeGiZkSBQ5PP0WZ
/OJA==
X-Forwarded-Encrypted: i=1;
AFNElJ9vhUE+jw79TRp481rnZ5WB727Rdb/HEXTvlz75gDwiiP9WSGrcxL6yll0L4jcA8fjokm0/aHIYnBg0WA==@lists.linux.dev
X-Gm-Message-State: AOJu0YywB5YSiPfJDpodc1Hkd69bS+f1kioRLW4VrYXVKUTTQk0MGoL9
LNTkWQCiKOgWfXub6aNEmgFLYrPHyJTI88rvGsd8FTg8OPFKg4I03anv
X-Gm-Gg: Acq92OFQnmwiCp8h7aliRCnmcX6tbD4//PKcFHZQhew+6kFW/2EwesR62vvcaizoVpi
Ty1aTbrLigGDoWHtFfI1TQz/Dhv1KMSzGVmcaHmHzDs1M/m1yfINT0MHvFuHDpCV85VysmdlV9D
2fDPuHXxsIhSStYpkJiDLYjwUSDIAoqHtT0CWzVTuevlL9sFAd+qY7sM+6o9lAbX9TO+Ns2wtsV
iww0luZeyXM40uyyPeFSnFrJ/vgQM3451ge1zP1PXTkb4SrQGuD/Re4Ic0rbyW+zTulLOg8l5lm
By7N1ZYCJaOI3dbZ60bI7lJ032uUbYy80T2cPpEobe3YjB+ZFTXwvTVfdbqq9RxicsvaZlgatqS
mAz9B6dBqr0L6eyK5SaFKY7OPuiFp0KO7sYjA8rDqXY/OQmqxOhDFTGdVOI5RVF18NXT5auCkvi
g1/WGTYS3Xt6ECqQNmpoGV8/7x/9e+JEjxprOrVX6cdOtTlpHaOB9XleSaQQHCK/KOTmi5zV4=
X-Received: by 2002:a05:6512:3e16:b0:5a3:ff5a:d83 with SMTP id
2adb3069b0e04-5a887ae3618mr10520299e87.16.1778519539315;
Mon, 11 May 2026 10:12:19 -0700 (PDT)
Received: from va-HP-Pavilion-Desktop-595-p0xxx.mshome.net ([193.0.150.248])
by smtp.gmail.com with ESMTPSA id
2adb3069b0e04-5a8a95660b6sm2765488e87.62.2026.05.11.10.12.17
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 11 May 2026 10:12:18 -0700 (PDT)
From: Valery Borovsky <vebohr@gmail.com>
To: linux-media@vger.kernel.org
Cc: mchehab@kernel.org,
hverkuil@kernel.org,
hansg@kernel.org,
hugues.fruchet@foss.st.com,
alain.volmat@foss.st.com,
mcoquelin.stm32@gmail.com,
alexandre.torgue@foss.st.com,
sakari.ailus@linux.intel.com,
mripard@kernel.org,
wens@kernel.org,
jernej.skrabec@gmail.com,
samuel@sholland.org,
linux-stm32@st-md-mailman.stormreply.com,
linux-arm-kernel@lists.infradead.org,
linux-sunxi@lists.linux.dev,
linux-kernel@vger.kernel.org,
Valery Borovsky <vebohr@gmail.com>,
stable@vger.kernel.org
Subject: [PATCH 3/6] media: pwc: Return queued buffers on start_streaming()
failure
Date: Mon, 11 May 2026 20:12:08 +0300
Message-ID:
<d0fdfb94b56871e757812bfb7aa58e83f7215903.1778518085.git.vebohr@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <cover.1778518085.git.vebohr@gmail.com>
References: <cover.1778518085.git.vebohr@gmail.com>
Precedence: bulk
X-Mailing-List: linux-sunxi@lists.linux.dev
List-Id: <linux-sunxi.lists.linux.dev>
List-Subscribe: <mailto:linux-sunxi+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:linux-sunxi+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Rspamd-Server: rspamd-worker-8404
X-Spamd-Result: default: False [0.34 / 15.00];
BAYES_HAM(-5.50)[100.00%];
RBL_SENDERSCORE(2.00)[172.232.135.74:from];
SUSPICIOUS_RECIPS(1.50)[];
MID_CONTAINS_FROM(1.00)[];
DMARC_POLICY_SOFTFAIL(1.00)[gmail.com : SPF not aligned (relaxed),
No valid DKIM,none];
R_MISSING_CHARSET(0.50)[];
MAILLIST(-0.15)[generic];
MIME_GOOD(-0.10)[text/plain];
BAD_REP_POLICIES(0.10)[];
HAS_LIST_UNSUB(-0.01)[];
RCPT_COUNT_TWELVE(0.00)[19];
FREEMAIL_FROM(0.00)[gmail.com];
FUZZY_BLOCKED(0.00)[rspamd.com];
FORGED_SENDER_MAILLIST(0.00)[];
DBL_BLOCKED_OPENRESOLVER(0.00)[sto.lore.kernel.org:rdns,sto.lore.kernel.org:helo];
FREEMAIL_CC(0.00)[kernel.org,foss.st.com,gmail.com,linux.intel.com,sholland.org,st-md-mailman.stormreply.com,lists.infradead.org,lists.linux.dev,vger.kernel.org];
TO_DN_SOME(0.00)[];
R_SPF_ALLOW(0.00)[+ip4:172.232.135.74];
TAGGED_RCPT(0.00)[];
FROM_HAS_DN(0.00)[];
RCVD_TLS_LAST(0.00)[];
MIME_TRACE(0.00)[0:+];
FORGED_RECIPIENTS_MAILLIST(0.00)[];
PRECEDENCE_BULK(0.00)[];
ASN(0.00)[asn:63949, ipnet:172.232.128.0/19, country:SG];
ARC_ALLOW(0.00)[subspace.kernel.org:s=arc-20240116:i=1];
TAGGED_FROM(0.00)[bounces-23262-noreply=patchwork.local];
RCVD_COUNT_FIVE(0.00)[6];
FROM_NEQ_ENVFROM(0.00)[vebohr@gmail.com,linux-sunxi@lists.linux.dev];
RCVD_VIA_SMTP_AUTH(0.00)[]
X-Rspamd-Queue-Id: 3F6C61C024C
X-MORS-Enabled: yes
X-MORS-DOMAIN: patchwork.local
X-MORS-HOSTING: hosting172546
X-MORS-USER: hosting172546
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
|
| Series |
media: vb2: Return queued buffers from start_streaming() on error
|
|
Commit Message
Valery Borovsky
May 11, 2026, 5:12 p.m. UTC
The vb2 framework hands buffers to the driver via buf_queue() before
calling start_streaming(). If start_streaming() returns an error
without first returning those buffers via vb2_buffer_done(),
vb2_start_streaming() fires WARN_ON(owned_by_drv_count) and the queued
buffers leak.
pwc's start_streaming() had two early returns that hit this trap:
-ENODEV when the USB device was already disconnected, and -ERESTARTSYS
when mutex_lock_interruptible() was interrupted by a signal. Call the
existing pwc_cleanup_queued_bufs() helper with VB2_BUF_STATE_QUEUED
before returning (matching the state already used by the
pwc_isoc_init() error path in the same function).
This mirrors the uvcvideo fix in commit 4cf3b6fd54eb ("media: uvcvideo:
Return queued buffers on start_streaming() failure").
Fixes: ceede9fa8939 ("[media] pwc: Fix locking")
Cc: stable@vger.kernel.org
Signed-off-by: Valery Borovsky <vebohr@gmail.com>
---
drivers/media/usb/pwc/pwc-if.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
Comments
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider: - [High] Incomplete Buffer Cleanup on Error in `start_streaming()` causing a buffer leak -- commit 39f02233e64ac5cb48aca4fd3aaf5db7ee99320b Author: Valery Borovsky <vebohr@gmail.com> Subject: media: pwc: Return queued buffers on start_streaming() failure This commit addresses leaked buffers during start_streaming() failures by ensuring queued buffers are returned to videobuf2 before returning an error on the early exit paths. Cc: stable@vger.kernel.org > diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c > --- a/drivers/media/usb/pwc/pwc-if.c > +++ b/drivers/media/usb/pwc/pwc-if.c > @@ -710,11 +710,15 @@ static int start_streaming(struct vb2_queue *vq, unsigned int count) > struct pwc_device *pdev = vb2_get_drv_priv(vq); > int r; > > - if (!pdev->udev) > + if (!pdev->udev) { > + pwc_cleanup_queued_bufs(pdev, VB2_BUF_STATE_QUEUED); Does this cleanup catch buffers that might have been moved to pdev->fill_buf? While this isn't a new regression introduced by this specific patch, it looks like a buffer leak could still happen if pwc_isoc_init() fails later in this function. During pwc_isoc_init(), usb_submit_urb() is called with GFP_KERNEL and can sleep. If a previously submitted URB completes successfully before the loop finishes, its completion handler pwc_isoc_handler() can execute and move a buffer from pdev->queued_bufs into pdev->fill_buf. If a subsequent usb_submit_urb() fails, pwc_isoc_init() aborts and kills the URBs. The error path in start_streaming() then executes pwc_cleanup_queued_bufs(). Since pdev->fill_buf is no longer in the list, it would be ignored by the cleanup routine and leaked, triggering the same WARN_ON(owned_by_drv_count) trap. Should pdev->fill_buf be explicitly checked and returned to videobuf2 on failure, similar to how it is handled in stop_streaming()? > return -ENODEV; > + }
diff --git a/drivers/media/usb/pwc/pwc-if.c b/drivers/media/usb/pwc/pwc-if.c index c416e2fc5754..59b99ac8fcb6 100644 --- a/drivers/media/usb/pwc/pwc-if.c +++ b/drivers/media/usb/pwc/pwc-if.c @@ -710,11 +710,15 @@ static int start_streaming(struct vb2_queue *vq, unsigned int count) struct pwc_device *pdev = vb2_get_drv_priv(vq); int r; - if (!pdev->udev) + if (!pdev->udev) { + pwc_cleanup_queued_bufs(pdev, VB2_BUF_STATE_QUEUED); return -ENODEV; + } - if (mutex_lock_interruptible(&pdev->v4l2_lock)) + if (mutex_lock_interruptible(&pdev->v4l2_lock)) { + pwc_cleanup_queued_bufs(pdev, VB2_BUF_STATE_QUEUED); return -ERESTARTSYS; + } /* Turn on camera and set LEDS on */ pwc_camera_power(pdev, 1); pwc_set_leds(pdev, leds[0], leds[1]);