| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAEAJfDgJM++zHzR9ez94ZgRSr7H6NrohsG8=+8722ZEjC1gRg@mail.gmail.com>
Date: Tue, 23 May 2023 13:28:11 -0300
From: Ezequiel Garcia <ezequiel@...guardiasur.com.ar>
To: Benjamin Gaignard <benjamin.gaignard@...labora.com>
Cc: nicolas.dufresne@...labora.com, p.zabel@...gutronix.de,
mchehab@...nel.org, m.szyprowski@...sung.com,
m.tretter@...gutronix.de, didi.debian@...ow.org,
linux-media@...r.kernel.org, linux-rockchip@...ts.infradead.org,
linux-kernel@...r.kernel.org, kernel@...labora.com,
hverkuil-cisco@...all.nl, kernel@...gutronix.de,
regressions@...ts.linux.dev
Subject: Re: [PATCH] media: verisilicon: Additional fix for the crash when
opening the driver
Hi Benjamin,
Thanks for the patch.
On Tue, May 23, 2023 at 1:25 PM Benjamin Gaignard
<benjamin.gaignard@...labora.com> wrote:
>
> This fixes the following issue observed on Odroid-M1 board:
>
> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
What pointer is NULL? ctx->src_fmt ?
> Mem abort info:
> ...
> Modules linked in: crct10dif_ce hantro_vpu snd_soc_simple_card snd_soc_simple_card_utils v4l2_vp9 v4l2_h264 rockchip_saradc v4l2_mem2mem videobuf2_dma_contig videobuf2_memops rtc_rk808 videobuf2_v4l2 industrialio_triggered_buffer rockchip_thermal dwmac_rk stmmac_platform stmmac videodev kfifo_buf display_connector videobuf2_common pcs_xpcs mc rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi drm_display_helper panfrost drm_shmem_helper gpu_sched ip_tables x_tables ipv6
> CPU: 3 PID: 176 Comm: v4l_id Not tainted 6.3.0-rc7-next-20230420 #13481
> Hardware name: Hardkernel ODROID-M1 (DT)
> pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : hantro_try_fmt+0xa0/0x278 [hantro_vpu]
> lr : hantro_try_fmt+0x94/0x278 [hantro_vpu]
> ...
> Call trace:
> hantro_try_fmt+0xa0/0x278 [hantro_vpu]
> hantro_set_fmt_out+0x3c/0x298 [hantro_vpu]
> hantro_reset_raw_fmt+0x98/0x128 [hantro_vpu]
> hantro_set_fmt_cap+0x240/0x254 [hantro_vpu]
> hantro_reset_encoded_fmt+0x94/0xcc [hantro_vpu]
> hantro_reset_fmts+0x18/0x38 [hantro_vpu]
> hantro_open+0xd4/0x20c [hantro_vpu]
> v4l2_open+0x80/0x120 [videodev]
> chrdev_open+0xc0/0x22c
> do_dentry_open+0x13c/0x48c
> vfs_open+0x2c/0x38
> path_openat+0x550/0x934
> do_filp_open+0x80/0x12c
> do_sys_openat2+0xb4/0x168
> __arm64_sys_openat+0x64/0xac
> invoke_syscall+0x48/0x114
> el0_svc_common+0x100/0x120
> do_el0_svc+0x3c/0xa8
> el0_svc+0x40/0xa8
> el0t_64_sync_handler+0xb8/0xbc
> el0t_64_sync+0x190/0x194
> Code: 97fc8a7f f940aa80 52864a61 72a686c1 (b9400800)
> ---[ end trace 0000000000000000 ]---
>
> Fixes: db6f68b51e5c ("media: verisilicon: Do not set context src/dst formats in reset functions")
>
> Signed-off-by: Benjamin Gaignard <benjamin.gaignard@...labora.com>
> ---
> drivers/media/platform/verisilicon/hantro_v4l2.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/platform/verisilicon/hantro_v4l2.c b/drivers/media/platform/verisilicon/hantro_v4l2.c
> index 835518534e3b..61cfaaf4e927 100644
> --- a/drivers/media/platform/verisilicon/hantro_v4l2.c
> +++ b/drivers/media/platform/verisilicon/hantro_v4l2.c
> @@ -397,10 +397,12 @@ hantro_reset_raw_fmt(struct hantro_ctx *ctx, int bit_depth)
> if (!raw_vpu_fmt)
> return -EINVAL;
>
> - if (ctx->is_encoder)
> + if (ctx->is_encoder) {
> encoded_fmt = &ctx->dst_fmt;
> - else
> + ctx->vpu_src_fmt = raw_vpu_fmt;
> + } else {
> encoded_fmt = &ctx->src_fmt;
> + }
>
> hantro_reset_fmt(&raw_fmt, raw_vpu_fmt);
> raw_fmt.width = encoded_fmt->width;
> --
> 2.34.1
>
Powered by blists - more mailing lists