reauktion/daedalus-v4l2
2
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f55b2cd002afdfd08f3c093627317f92e4929074
daedalus-v4l2/kernel
T
History
marfrit f55b2cd002 kernel: media_request_get/put around inf->req (UAF safety) 
Sonnet pre-deployment review flagged a SHIP-WITH-EYES-OPEN risk:
Phase 8.13's inf->req captured src_buf->vb2_buf.req_obj.req as a
raw pointer with no media_request_get(). On the normal decode
path that's fine because vb2-core holds its own reference until
v4l2_m2m_buf_done_and_job_finish releases it.

But on a concurrent cancel (MEDIA_IOC_REQUEST_REINIT or a process
kill triggering buf_request_complete from the cancel path before
RESP_FRAME comes back), vb2 could drop its reference first. Our
inf->req would then dangle through v4l2_ctrl_request_complete +
buf_done_and_job_finish — UAF.

Fix matches the cedrus / rkvdec pattern: take our own reference
when we capture the pointer, release it after we're done with it
(after buf_done_and_job_finish to keep the ordering crystal-clear).

  /* in daedalus_device_run, after inf->req = src_buf->...->req */
  if (inf->req)
      media_request_get(inf->req);

  /* in daedalus_complete_resp_frame, after buf_done_and_job_finish */
  if (inf->req)
      media_request_put(inf->req);

Verified on hertz:
- libva path (request-bound, inf->req != NULL): byte-exact NV12,
  same FNV-1a as standalone.
- test_m2m_stream (direct QBUF, inf->req == NULL): 30/30 frames
  decoded, conditional skip works.
- No kernel oops / WARN, no leak in dmesg.

Add #include <media/media-request.h> for the helpers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 18:39:10 +00:00
..
daedalus_v4l2_chardev.c
Phase 8.6: dmabuf + AV1 + H.264 + stateless controls
2026-05-18 16:16:06 +00:00
daedalus_v4l2_chardev.h
Phase 8.2: kernel ↔ daemon chardev bridge with round-trip test
2026-05-18 15:05:54 +00:00
daedalus_v4l2_main.c
kernel: media_request_get/put around inf->req (UAF safety)
2026-05-18 18:39:10 +00:00
daedalus_v4l2_main.h
Phase 8.7: media controller + multi-frame streaming verification
2026-05-18 16:21:58 +00:00
Makefile
Phase 8.2: kernel ↔ daemon chardev bridge with round-trip test
2026-05-18 15:05:54 +00:00
README.md
Initial scaffold: daedalus-v4l2 sibling repo
2026-05-18 14:54:56 +00:00

README.md

kernel/ — daedalus-v4l2 Linux kernel module

Out-of-tree kernel module providing a V4L2 stateless decoder device that forwards work to a userspace daemon.

Status

Scaffold only. Phase 8.1 not yet started.

Build (when implemented)

make -C /lib/modules/$(uname -r)/build M=$(pwd)
sudo insmod daedalus_v4l2.ko
v4l2-ctl --list-devices  # confirm /dev/videoNN appears

Layout (planned)

  • Makefile — kbuild stub
  • daedalus_v4l2_main.c — module init + V4L2 device registration
  • daedalus_v4l2_chardev.c/dev/daedalus-v4l2 chardev for daemon communication
  • daedalus_v4l2_v4l2.c — V4L2 ioctl dispatch (stateless controls)

License

GPLv2. Required for kernel module symbol compatibility.

Phase 8.1 starting point

Minimal example: register a /dev/videoNN that returns -ENOSYS on every ioctl. Validates that the kernel build works and v4l2-ctl can see the device.

Reference in New Issue View Git Blame Copy Permalink