| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251217213526.196533-3-m.lobanov@rosa.ru>
Date: Thu, 18 Dec 2025 00:35:23 +0300
From: Mikhail Lobanov <m.lobanov@...a.ru>
To: Sakari Ailus <sakari.ailus@...ux.intel.com>
Cc: Mikhail Lobanov <m.lobanov@...a.ru>,
Bingbu Cao <bingbu.cao@...el.com>,
Tianshu Qiu <tian.shu.qiu@...el.com>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Hans Verkuil <hverkuil-cisco@...all.nl>,
linux-media@...r.kernel.org,
linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org
Subject: [PATCH v2 2/2] media: ipu6: isys: video: guard remote pad lookups in streaming helpers
ipu6_isys_video_set_streaming(), ipu6_isys_fw_pin_cfg() and link_validate()
use media_pad_remote_pad_first() on the video node pad and dereference the
returned pad (and its entity) unconditionally. media_pad_remote_pad_first()
only returns a pad for an enabled link, and it may return NULL when the
pipeline is not connected or during teardown/error unwind.
Handle a missing remote pad explicitly: return -ENOTCONN when the remote
pad cannot be obtained and bail out from the firmware pin configuration
helper instead of crashing.
Reported by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 3c1dfb5a69cf ("media: intel/ipu6: input system video nodes and buffer queues")
Signed-off-by: Mikhail Lobanov <m.lobanov@...a.ru>
---
v1: https://lore.kernel.org/lkml/20251211230037.48186-1-m.lobanov@rosa.ru
drivers/media/pci/intel/ipu6/ipu6-isys-video.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/intel/ipu6/ipu6-isys-video.c b/drivers/media/pci/intel/ipu6/ipu6-isys-video.c
index dec8f5ffcfa5..8ac310b6b342 100644
--- a/drivers/media/pci/intel/ipu6/ipu6-isys-video.c
+++ b/drivers/media/pci/intel/ipu6/ipu6-isys-video.c
@@ -401,6 +401,9 @@ static int link_validate(struct media_link *link)
link->sink->entity->name);
s_pad = media_pad_remote_pad_first(&av->pad);
+ if (!s_pad)
+ return -ENOTCONN;
+
s_stream = ipu6_isys_get_src_stream_by_src_pad(s_sd, s_pad->index);
v4l2_subdev_lock_state(s_state);
@@ -454,7 +456,6 @@ static int ipu6_isys_fw_pin_cfg(struct ipu6_isys_video *av,
struct ipu6_fw_isys_stream_cfg_data_abi *cfg)
{
struct media_pad *src_pad = media_pad_remote_pad_first(&av->pad);
- struct v4l2_subdev *sd = media_entity_to_v4l2_subdev(src_pad->entity);
struct ipu6_fw_isys_input_pin_info_abi *input_pin;
struct ipu6_fw_isys_output_pin_info_abi *output_pin;
struct ipu6_isys_stream *stream = av->stream;
@@ -466,10 +467,16 @@ static int ipu6_isys_fw_pin_cfg(struct ipu6_isys_video *av,
struct ipu6_isys *isys = av->isys;
struct device *dev = &isys->adev->auxdev.dev;
int input_pins = cfg->nof_input_pins++;
+ struct v4l2_subdev *sd;
int output_pins;
u32 src_stream;
int ret;
+ if (!src_pad)
+ return -ENOTCONN;
+
+ sd = media_entity_to_v4l2_subdev(src_pad->entity);
+
src_stream = ipu6_isys_get_src_stream_by_src_pad(sd, src_pad->index);
ret = ipu6_isys_get_stream_pad_fmt(sd, src_pad->index, src_stream,
&fmt);
@@ -1016,6 +1023,9 @@ int ipu6_isys_video_set_streaming(struct ipu6_isys_video *av, int state,
sd = &stream->asd->sd;
r_pad = media_pad_remote_pad_first(&av->pad);
+ if (!r_pad)
+ return -ENOTCONN;
+
r_stream = ipu6_isys_get_src_stream_by_src_pad(sd, r_pad->index);
subdev_state = v4l2_subdev_lock_and_get_active_state(sd);
--
2.47.2
Powered by blists - more mailing lists