ture from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender SpamTally: Final spam score: -11 On 23/10/2025 13:55, Marek Szyprowski wrote: > On 23.10.2025 13:36, Hans Verkuil wrote: >> On 23/10/2025 13:30, Marek Szyprowski wrote: >>> vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, >>> potentially overwriting some pointers used by the legacy fileio access >>> mode. Add a vb2_verify_memory_type() check symmetrical to >>> vb2_ioctl_create_bufs() to forbid that ioctl when fileio is active to >>> protect internal queue state between subsequent read/write calls. >>> >>> CC: stable@vger.kernel.org >>> Fixes: a3293a85381e ("media: v4l2: Add REMOVE_BUFS ioctl") >>> Reported-by: Shuangpeng Bai >>> Suggested-by: Benjamin Gaignard >>> Signed-off-by: Marek Szyprowski >>> --- >>> drivers/media/common/videobuf2/videobuf2-v4l2.c | 8 +++++--- >>> 1 file changed, 5 insertions(+), 3 deletions(-) >>> >>> diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c b/drivers/media/common/videobuf2/videobuf2-v4l2.c >>> index d911021c1bb0..a8a5b42a42d0 100644 >>> --- a/drivers/media/common/videobuf2/videobuf2-v4l2.c >>> +++ b/drivers/media/common/videobuf2/videobuf2-v4l2.c >>> @@ -1000,13 +1000,15 @@ int vb2_ioctl_remove_bufs(struct file *file, void *priv, >>> struct v4l2_remove_buffers *d) >>> { >>> struct video_device *vdev = video_devdata(file); >>> - >>> - if (vdev->queue->type != d->type) >>> - return -EINVAL; >>> + int res; >>> >>> if (d->count == 0) >>> return 0; >> Ah, no. This should still check d->type. So: >> >> if (d->count == 0) >> return d->type == vdev->queue->type ? 0 : -EINVAL; > > Then frankly speaking lets get back to v1 limited to > vb2_ioctl_remove_bufs(), as using vb2_verify_memory_type() in this > context only makes things harder to understand: > > diff --git a/drivers/media/common/videobuf2/videobuf2-v4l2.c > b/drivers/media/common/videobuf2/videobuf2-v4l2.c index > d911021c1bb0..f4104d5971dd 100644 --- > a/drivers/media/common/videobuf2/videobuf2-v4l2.c +++ > b/drivers/media/common/videobuf2/videobuf2-v4l2.c > > @@ -1010,6 +1015,11 @@ int vb2_ioctl_remove_bufs(struct file *file, void > *priv, if (vb2_queue_is_busy(vdev->queue, file)) return -EBUSY; + if > (vb2_fileio_is_active(vdev->queue)) { + dprintk(vdev->queue, 1, "file io > in progress\n"); + return -EBUSY; + } + return > vb2_core_remove_bufs(vdev->queue, d->index, d->count); } > EXPORT_SYMBOL_GPL(vb2_ioctl_remove_bufs); I agree. Can you post a v4? Regards, Hans > > >> Regards, >> >> Hans >> >>> >>> + res = vb2_verify_memory_type(vdev->queue, vdev->queue->memory, d->type); >>> + if (res) >>> + return res; >>> + >>> if (vb2_queue_is_busy(vdev->queue, file)) >>> return -EBUSY; >>> > Best regards From - Thu Oct 23 12:30:29 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id wOYyIeIf+mg/RCQAYBR5ng (envelope-from ) for ; Thu, 23 Oct 2025 12:30:26 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Thu, 23 Oct 2025 12:30:26 +0000 Received: from sv.mirrors.kernel.org ([139.178.88.99]) by witcher.mxrouting.net with esmtps (TLS1.3)