lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a194a9c5-ac8e-cf86-34cd-4f3a3cb6f6ec@ideasonboard.com>
Date:   Wed, 7 Sep 2022 15:46:26 +0300
From:   Tomi Valkeinen <tomi.valkeinen@...asonboard.com>
To:     Maximilian Luz <luzmaximilian@...il.com>,
        Sakari Ailus <sakari.ailus@...ux.intel.com>
Cc:     Bingbu Cao <bingbu.cao@...el.com>,
        Tianshu Qiu <tian.shu.qiu@...el.com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Laurent Pinchart <laurent.pinchart@...asonboard.com>,
        Jacopo Mondi <jacopo+renesas@...ndi.org>,
        Hans Verkuil <hverkuil-cisco@...all.nl>,
        linux-media@...r.kernel.org, linux-staging@...ts.linux.dev,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: staging/intel-ipu3: Finalize subdev initialization
 to allcoate active state

Hi Maximilian,

On 07/09/2022 15:33, Maximilian Luz wrote:
> Commit f69952a4dc1e ("media: subdev: add active state to struct
> v4l2_subdev") introduced the active_state member to struct v4l2_subdev.
> This state needs to be allocated via v4l2_subdev_init_finalize(). The
> intel-ipu3 driver unfortunately does not do that, due to which,

That is fine, a driver only needs to allocate the active state if it uses
the active state.

> active_state is NULL and we run into an oops (NULL pointer dereference)
> when that state is accessed.
> 
> In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381
> ("media: subdev: pass also the active state to subdevs from ioctls")
> passes that state on to the subdev IOCTLs. An example scenario where
> this happens is running libcamera's qcam or cam on a device with IPU3,
> for example the Microsoft Surface Book 2. In this case, the oops is
> reproducibly in v4l2_subdev_get_try_crop(), called via
> imgu_subdev_set_selection().
> 
> To fix this, allocate the active_state member via
> v4l2_subdev_init_finalize().

This is not a correct fix. Sakari has sent (and maybe pushed?) this:

https://lore.kernel.org/all/20220825190351.3241444-1-sakari.ailus@linux.intel.com/

  Tomi


> Link: https://github.com/linux-surface/linux-surface/issues/907
> Fixes: 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls")
> Signed-off-by: Maximilian Luz <luzmaximilian@...il.com>
> ---
>   drivers/staging/media/ipu3/ipu3-v4l2.c | 12 +++++++++++-
>   1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
> index d1c539cefba8..84ab98ba9a2e 100644
> --- a/drivers/staging/media/ipu3/ipu3-v4l2.c
> +++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
> @@ -1093,10 +1093,18 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
>   			"failed to create subdev v4l2 ctrl with err %d", r);
>   		goto fail_subdev;
>   	}
> +
> +	r = v4l2_subdev_init_finalize(&imgu_sd->subdev);
> +	if (r) {
> +		dev_err(&imgu->pci_dev->dev,
> +			"failed to initialize subdev (%d)\n", r);
> +		goto fail_subdev;
> +	}
> +
>   	r = v4l2_device_register_subdev(&imgu->v4l2_dev, &imgu_sd->subdev);
>   	if (r) {
>   		dev_err(&imgu->pci_dev->dev,
> -			"failed initialize subdev (%d)\n", r);
> +			"failed to register subdev (%d)\n", r);
>   		goto fail_subdev;
>   	}
>   
> @@ -1104,6 +1112,7 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
>   	return 0;
>   
>   fail_subdev:
> +	v4l2_subdev_cleanup(&imgu_sd->subdev);
>   	v4l2_ctrl_handler_free(imgu_sd->subdev.ctrl_handler);
>   	media_entity_cleanup(&imgu_sd->subdev.entity);
>   
> @@ -1275,6 +1284,7 @@ static void imgu_v4l2_subdev_cleanup(struct imgu_device *imgu, unsigned int i)
>   	struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[i];
>   
>   	v4l2_device_unregister_subdev(&imgu_pipe->imgu_sd.subdev);
> +	v4l2_subdev_cleanup(&imgu_pipe->imgu_sd.subdev);
>   	v4l2_ctrl_handler_free(imgu_pipe->imgu_sd.subdev.ctrl_handler);
>   	media_entity_cleanup(&imgu_pipe->imgu_sd.subdev.entity);
>   }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ