| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220907123359.1275322-1-luzmaximilian@gmail.com>
Date: Wed, 7 Sep 2022 14:33:59 +0200
From: Maximilian Luz <luzmaximilian@...il.com>
To: Sakari Ailus <sakari.ailus@...ux.intel.com>
Cc: Bingbu Cao <bingbu.cao@...el.com>,
Tianshu Qiu <tian.shu.qiu@...el.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Tomi Valkeinen <tomi.valkeinen@...asonboard.com>,
Laurent Pinchart <laurent.pinchart@...asonboard.com>,
Jacopo Mondi <jacopo+renesas@...ndi.org>,
Hans Verkuil <hverkuil-cisco@...all.nl>,
linux-media@...r.kernel.org, linux-staging@...ts.linux.dev,
linux-kernel@...r.kernel.org,
Maximilian Luz <luzmaximilian@...il.com>
Subject: [PATCH] media: staging/intel-ipu3: Finalize subdev initialization to allcoate active state
Commit f69952a4dc1e ("media: subdev: add active state to struct
v4l2_subdev") introduced the active_state member to struct v4l2_subdev.
This state needs to be allocated via v4l2_subdev_init_finalize(). The
intel-ipu3 driver unfortunately does not do that, due to which,
active_state is NULL and we run into an oops (NULL pointer dereference)
when that state is accessed.
In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381
("media: subdev: pass also the active state to subdevs from ioctls")
passes that state on to the subdev IOCTLs. An example scenario where
this happens is running libcamera's qcam or cam on a device with IPU3,
for example the Microsoft Surface Book 2. In this case, the oops is
reproducibly in v4l2_subdev_get_try_crop(), called via
imgu_subdev_set_selection().
To fix this, allocate the active_state member via
v4l2_subdev_init_finalize().
Link: https://github.com/linux-surface/linux-surface/issues/907
Fixes: 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls")
Signed-off-by: Maximilian Luz <luzmaximilian@...il.com>
---
drivers/staging/media/ipu3/ipu3-v4l2.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
index d1c539cefba8..84ab98ba9a2e 100644
--- a/drivers/staging/media/ipu3/ipu3-v4l2.c
+++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
@@ -1093,10 +1093,18 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
"failed to create subdev v4l2 ctrl with err %d", r);
goto fail_subdev;
}
+
+ r = v4l2_subdev_init_finalize(&imgu_sd->subdev);
+ if (r) {
+ dev_err(&imgu->pci_dev->dev,
+ "failed to initialize subdev (%d)\n", r);
+ goto fail_subdev;
+ }
+
r = v4l2_device_register_subdev(&imgu->v4l2_dev, &imgu_sd->subdev);
if (r) {
dev_err(&imgu->pci_dev->dev,
- "failed initialize subdev (%d)\n", r);
+ "failed to register subdev (%d)\n", r);
goto fail_subdev;
}
@@ -1104,6 +1112,7 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
return 0;
fail_subdev:
+ v4l2_subdev_cleanup(&imgu_sd->subdev);
v4l2_ctrl_handler_free(imgu_sd->subdev.ctrl_handler);
media_entity_cleanup(&imgu_sd->subdev.entity);
@@ -1275,6 +1284,7 @@ static void imgu_v4l2_subdev_cleanup(struct imgu_device *imgu, unsigned int i)
struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[i];
v4l2_device_unregister_subdev(&imgu_pipe->imgu_sd.subdev);
+ v4l2_subdev_cleanup(&imgu_pipe->imgu_sd.subdev);
v4l2_ctrl_handler_free(imgu_pipe->imgu_sd.subdev.ctrl_handler);
media_entity_cleanup(&imgu_pipe->imgu_sd.subdev.entity);
}
--
2.37.3
Powered by blists - more mailing lists