lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 7 Sep 2022 15:18:58 +0200
From:   Maximilian Luz <luzmaximilian@...il.com>
To:     Tomi Valkeinen <tomi.valkeinen@...asonboard.com>,
        Sakari Ailus <sakari.ailus@...ux.intel.com>
Cc:     Bingbu Cao <bingbu.cao@...el.com>,
        Tianshu Qiu <tian.shu.qiu@...el.com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Laurent Pinchart <laurent.pinchart@...asonboard.com>,
        Jacopo Mondi <jacopo+renesas@...ndi.org>,
        Hans Verkuil <hverkuil-cisco@...all.nl>,
        linux-media@...r.kernel.org, linux-staging@...ts.linux.dev,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: staging/intel-ipu3: Finalize subdev initialization
 to allcoate active state

Hi,

On 9/7/22 14:46, Tomi Valkeinen wrote:
> Hi Maximilian,
> 
> On 07/09/2022 15:33, Maximilian Luz wrote:
>> Commit f69952a4dc1e ("media: subdev: add active state to struct
>> v4l2_subdev") introduced the active_state member to struct v4l2_subdev.
>> This state needs to be allocated via v4l2_subdev_init_finalize(). The
>> intel-ipu3 driver unfortunately does not do that, due to which,
> 
> That is fine, a driver only needs to allocate the active state if it uses
> the active state.
> 
>> active_state is NULL and we run into an oops (NULL pointer dereference)
>> when that state is accessed.
>>
>> In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381
>> ("media: subdev: pass also the active state to subdevs from ioctls")
>> passes that state on to the subdev IOCTLs. An example scenario where
>> this happens is running libcamera's qcam or cam on a device with IPU3,
>> for example the Microsoft Surface Book 2. In this case, the oops is
>> reproducibly in v4l2_subdev_get_try_crop(), called via
>> imgu_subdev_set_selection().
>>
>> To fix this, allocate the active_state member via
>> v4l2_subdev_init_finalize().
> 
> This is not a correct fix. Sakari has sent (and maybe pushed?) this:
> 
> https://lore.kernel.org/all/20220825190351.3241444-1-sakari.ailus@linux.intel.com/

Thanks! Unfortunately that doesn't fix the issue completely: That patch
addresses imgu_subdev_get_selection() but imgu_subdev_set_selection()
still runs into the oops.

I assume a similar fix to the one you linked is needed? I'll give that a
try.

Regards,
Max

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ