lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu,  6 Oct 2016 10:28:39 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     linux-kernel@...r.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        stable@...r.kernel.org,
        Laurent Pinchart <laurent.pinchart+renesas@...asonboard.com>,
        Mauro Carvalho Chehab <mchehab@...pensource.com>
Subject: [PATCH 4.7 083/141] [media] v4l: vsp1: Fix crash when resetting pipeline

4.7-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Laurent Pinchart <laurent.pinchart+renesas@...asonboard.com>

commit d69e40fade97b6b19837c1772efa516bc28cc870 upstream.

The vsp1_pipeline_reset() function loops over pipeline inputs and output
and resets them. When doing so it assumes both that the pipeline has
been correctly configured with an output, and that inputs are are stored
in the pipe inputs array at positions 0 to num_inputs-1.

Both the assumptions are incorrect. The pipeline might need to be reset
after a failed attempts to configure it, without any output specified.
Furthermore, inputs are stored in a positiong equal to their RPF index,
possibly creating holes in the inputs array if the RPFs are not used in
sequence.

Fix both issues by looping over the whole inputs array and skipping
unused entries, and ignoring the output when not set.

Fixes: ff7e97c94d9f ("[media] v4l: vsp1: Store pipeline pointer in rwpf")

Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@...asonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@...pensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>

---
 drivers/media/platform/vsp1/vsp1_pipe.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/drivers/media/platform/vsp1/vsp1_pipe.c
+++ b/drivers/media/platform/vsp1/vsp1_pipe.c
@@ -172,13 +172,17 @@ void vsp1_pipeline_reset(struct vsp1_pip
 			bru->inputs[i].rpf = NULL;
 	}
 
-	for (i = 0; i < pipe->num_inputs; ++i) {
-		pipe->inputs[i]->pipe = NULL;
-		pipe->inputs[i] = NULL;
+	for (i = 0; i < ARRAY_SIZE(pipe->inputs); ++i) {
+		if (pipe->inputs[i]) {
+			pipe->inputs[i]->pipe = NULL;
+			pipe->inputs[i] = NULL;
+		}
 	}
 
-	pipe->output->pipe = NULL;
-	pipe->output = NULL;
+	if (pipe->output) {
+		pipe->output->pipe = NULL;
+		pipe->output = NULL;
+	}
 
 	INIT_LIST_HEAD(&pipe->entities);
 	pipe->state = VSP1_PIPELINE_STOPPED;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ