| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251211230037.48186-1-m.lobanov@rosa.ru>
Date: Fri, 12 Dec 2025 02:00:36 +0300
From: Mikhail Lobanov <m.lobanov@...a.ru>
To: Sakari Ailus <sakari.ailus@...ux.intel.com>
Cc: Mikhail Lobanov <m.lobanov@...a.ru>,
Bingbu Cao <bingbu.cao@...el.com>,
Tianshu Qiu <tian.shu.qiu@...el.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Hans Verkuil <hverkuil-cisco@...all.nl>,
linux-media@...r.kernel.org,
linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org
Subject: [PATCH] media: ipu6: isys: fix video NULL deref on missing remote pad
media_pad_remote_pad_first() may return NULL when there is no enabled
media link on the video node pad. ipu6_isys_video_set_streaming() and
ipu6_isys_fw_pin_cfg() dereference the returned pad and its entity
unconditionally, which can lead to a NULL pointer dereference when the
pipeline is not connected.
Check the remote pad before using it, return -ENOTCONN from the streaming
setup path when no remote pad is found, and bail out from the firmware
pin configuration helper instead of crashing.
Reported by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 3c1dfb5a69cf ("media: intel/ipu6: input system video nodes and buffer queues")
Signed-off-by: Mikhail Lobanov <m.lobanov@...a.ru>
---
drivers/media/pci/intel/ipu6/ipu6-isys-video.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/intel/ipu6/ipu6-isys-video.c b/drivers/media/pci/intel/ipu6/ipu6-isys-video.c
index dec8f5ffcfa5..8ac310b6b342 100644
--- a/drivers/media/pci/intel/ipu6/ipu6-isys-video.c
+++ b/drivers/media/pci/intel/ipu6/ipu6-isys-video.c
@@ -401,6 +401,9 @@ static int link_validate(struct media_link *link)
link->sink->entity->name);
s_pad = media_pad_remote_pad_first(&av->pad);
+ if (!s_pad)
+ return -ENOTCONN;
+
s_stream = ipu6_isys_get_src_stream_by_src_pad(s_sd, s_pad->index);
v4l2_subdev_lock_state(s_state);
@@ -454,7 +456,6 @@ static int ipu6_isys_fw_pin_cfg(struct ipu6_isys_video *av,
struct ipu6_fw_isys_stream_cfg_data_abi *cfg)
{
struct media_pad *src_pad = media_pad_remote_pad_first(&av->pad);
- struct v4l2_subdev *sd = media_entity_to_v4l2_subdev(src_pad->entity);
struct ipu6_fw_isys_input_pin_info_abi *input_pin;
struct ipu6_fw_isys_output_pin_info_abi *output_pin;
struct ipu6_isys_stream *stream = av->stream;
@@ -466,10 +467,16 @@ static int ipu6_isys_fw_pin_cfg(struct ipu6_isys_video *av,
struct ipu6_isys *isys = av->isys;
struct device *dev = &isys->adev->auxdev.dev;
int input_pins = cfg->nof_input_pins++;
+ struct v4l2_subdev *sd;
int output_pins;
u32 src_stream;
int ret;
+ if (!src_pad)
+ return -ENOTCONN;
+
+ sd = media_entity_to_v4l2_subdev(src_pad->entity);
+
src_stream = ipu6_isys_get_src_stream_by_src_pad(sd, src_pad->index);
ret = ipu6_isys_get_stream_pad_fmt(sd, src_pad->index, src_stream,
&fmt);
@@ -1016,6 +1023,9 @@ int ipu6_isys_video_set_streaming(struct ipu6_isys_video *av, int state,
sd = &stream->asd->sd;
r_pad = media_pad_remote_pad_first(&av->pad);
+ if (!r_pad)
+ return -ENOTCONN;
+
r_stream = ipu6_isys_get_src_stream_by_src_pad(sd, r_pad->index);
subdev_state = v4l2_subdev_lock_and_get_active_state(sd);
--
2.47.2
Powered by blists - more mailing lists