lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220907123359.1275322-1-luzmaximilian@gmail.com>
Date:   Wed,  7 Sep 2022 14:33:59 +0200
From:   Maximilian Luz <luzmaximilian@...il.com>
To:     Sakari Ailus <sakari.ailus@...ux.intel.com>
Cc:     Bingbu Cao <bingbu.cao@...el.com>,
        Tianshu Qiu <tian.shu.qiu@...el.com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Tomi Valkeinen <tomi.valkeinen@...asonboard.com>,
        Laurent Pinchart <laurent.pinchart@...asonboard.com>,
        Jacopo Mondi <jacopo+renesas@...ndi.org>,
        Hans Verkuil <hverkuil-cisco@...all.nl>,
        linux-media@...r.kernel.org, linux-staging@...ts.linux.dev,
        linux-kernel@...r.kernel.org,
        Maximilian Luz <luzmaximilian@...il.com>
Subject: [PATCH] media: staging/intel-ipu3: Finalize subdev initialization to allcoate active state

Commit f69952a4dc1e ("media: subdev: add active state to struct
v4l2_subdev") introduced the active_state member to struct v4l2_subdev.
This state needs to be allocated via v4l2_subdev_init_finalize(). The
intel-ipu3 driver unfortunately does not do that, due to which,
active_state is NULL and we run into an oops (NULL pointer dereference)
when that state is accessed.

In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381
("media: subdev: pass also the active state to subdevs from ioctls")
passes that state on to the subdev IOCTLs. An example scenario where
this happens is running libcamera's qcam or cam on a device with IPU3,
for example the Microsoft Surface Book 2. In this case, the oops is
reproducibly in v4l2_subdev_get_try_crop(), called via
imgu_subdev_set_selection().

To fix this, allocate the active_state member via
v4l2_subdev_init_finalize().

Link: https://github.com/linux-surface/linux-surface/issues/907
Fixes: 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls")
Signed-off-by: Maximilian Luz <luzmaximilian@...il.com>
---
 drivers/staging/media/ipu3/ipu3-v4l2.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
index d1c539cefba8..84ab98ba9a2e 100644
--- a/drivers/staging/media/ipu3/ipu3-v4l2.c
+++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
@@ -1093,10 +1093,18 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
 			"failed to create subdev v4l2 ctrl with err %d", r);
 		goto fail_subdev;
 	}
+
+	r = v4l2_subdev_init_finalize(&imgu_sd->subdev);
+	if (r) {
+		dev_err(&imgu->pci_dev->dev,
+			"failed to initialize subdev (%d)\n", r);
+		goto fail_subdev;
+	}
+
 	r = v4l2_device_register_subdev(&imgu->v4l2_dev, &imgu_sd->subdev);
 	if (r) {
 		dev_err(&imgu->pci_dev->dev,
-			"failed initialize subdev (%d)\n", r);
+			"failed to register subdev (%d)\n", r);
 		goto fail_subdev;
 	}
 
@@ -1104,6 +1112,7 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
 	return 0;
 
 fail_subdev:
+	v4l2_subdev_cleanup(&imgu_sd->subdev);
 	v4l2_ctrl_handler_free(imgu_sd->subdev.ctrl_handler);
 	media_entity_cleanup(&imgu_sd->subdev.entity);
 
@@ -1275,6 +1284,7 @@ static void imgu_v4l2_subdev_cleanup(struct imgu_device *imgu, unsigned int i)
 	struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[i];
 
 	v4l2_device_unregister_subdev(&imgu_pipe->imgu_sd.subdev);
+	v4l2_subdev_cleanup(&imgu_pipe->imgu_sd.subdev);
 	v4l2_ctrl_handler_free(imgu_pipe->imgu_sd.subdev.ctrl_handler);
 	media_entity_cleanup(&imgu_pipe->imgu_sd.subdev.entity);
 }
-- 
2.37.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ