| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a194a9c5-ac8e-cf86-34cd-4f3a3cb6f6ec@ideasonboard.com>
Date: Wed, 7 Sep 2022 15:46:26 +0300
From: Tomi Valkeinen <tomi.valkeinen@...asonboard.com>
To: Maximilian Luz <luzmaximilian@...il.com>,
Sakari Ailus <sakari.ailus@...ux.intel.com>
Cc: Bingbu Cao <bingbu.cao@...el.com>,
Tianshu Qiu <tian.shu.qiu@...el.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Laurent Pinchart <laurent.pinchart@...asonboard.com>,
Jacopo Mondi <jacopo+renesas@...ndi.org>,
Hans Verkuil <hverkuil-cisco@...all.nl>,
linux-media@...r.kernel.org, linux-staging@...ts.linux.dev,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: staging/intel-ipu3: Finalize subdev initialization
to allcoate active state
Hi Maximilian,
On 07/09/2022 15:33, Maximilian Luz wrote:
> Commit f69952a4dc1e ("media: subdev: add active state to struct
> v4l2_subdev") introduced the active_state member to struct v4l2_subdev.
> This state needs to be allocated via v4l2_subdev_init_finalize(). The
> intel-ipu3 driver unfortunately does not do that, due to which,
That is fine, a driver only needs to allocate the active state if it uses
the active state.
> active_state is NULL and we run into an oops (NULL pointer dereference)
> when that state is accessed.
>
> In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381
> ("media: subdev: pass also the active state to subdevs from ioctls")
> passes that state on to the subdev IOCTLs. An example scenario where
> this happens is running libcamera's qcam or cam on a device with IPU3,
> for example the Microsoft Surface Book 2. In this case, the oops is
> reproducibly in v4l2_subdev_get_try_crop(), called via
> imgu_subdev_set_selection().
>
> To fix this, allocate the active_state member via
> v4l2_subdev_init_finalize().
This is not a correct fix. Sakari has sent (and maybe pushed?) this:
https://lore.kernel.org/all/20220825190351.3241444-1-sakari.ailus@linux.intel.com/
Tomi
> Link: https://github.com/linux-surface/linux-surface/issues/907
> Fixes: 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls")
> Signed-off-by: Maximilian Luz <luzmaximilian@...il.com>
> ---
> drivers/staging/media/ipu3/ipu3-v4l2.c | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
> index d1c539cefba8..84ab98ba9a2e 100644
> --- a/drivers/staging/media/ipu3/ipu3-v4l2.c
> +++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
> @@ -1093,10 +1093,18 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
> "failed to create subdev v4l2 ctrl with err %d", r);
> goto fail_subdev;
> }
> +
> + r = v4l2_subdev_init_finalize(&imgu_sd->subdev);
> + if (r) {
> + dev_err(&imgu->pci_dev->dev,
> + "failed to initialize subdev (%d)\n", r);
> + goto fail_subdev;
> + }
> +
> r = v4l2_device_register_subdev(&imgu->v4l2_dev, &imgu_sd->subdev);
> if (r) {
> dev_err(&imgu->pci_dev->dev,
> - "failed initialize subdev (%d)\n", r);
> + "failed to register subdev (%d)\n", r);
> goto fail_subdev;
> }
>
> @@ -1104,6 +1112,7 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
> return 0;
>
> fail_subdev:
> + v4l2_subdev_cleanup(&imgu_sd->subdev);
> v4l2_ctrl_handler_free(imgu_sd->subdev.ctrl_handler);
> media_entity_cleanup(&imgu_sd->subdev.entity);
>
> @@ -1275,6 +1284,7 @@ static void imgu_v4l2_subdev_cleanup(struct imgu_device *imgu, unsigned int i)
> struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[i];
>
> v4l2_device_unregister_subdev(&imgu_pipe->imgu_sd.subdev);
> + v4l2_subdev_cleanup(&imgu_pipe->imgu_sd.subdev);
> v4l2_ctrl_handler_free(imgu_pipe->imgu_sd.subdev.ctrl_handler);
> media_entity_cleanup(&imgu_pipe->imgu_sd.subdev.entity);
> }
Powered by blists - more mailing lists