lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aV-5HlUJ4u-yTbmK@zed>
Date: Thu, 8 Jan 2026 15:07:58 +0100
From: Jacopo Mondi <jacopo.mondi@...asonboard.com>
To: Alper Ak <alperyasinak1@...il.com>
Cc: dan.scally@...asonboard.com, jacopo.mondi@...asonboard.com, 
	Mauro Carvalho Chehab <mchehab@...nel.org>, Nayden Kanchev <nayden.kanchev@....com>, 
	Hans Verkuil <hverkuil+cisco@...nel.org>, linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] media: mali-c55: Fix possible ERR_PTR dereference in
 mali_c55_isp_enable_streams()

Hello Alper

On Sat, Dec 27, 2025 at 02:51:52PM +0300, Alper Ak wrote:
> media_pad_remote_pad_unique() can return ERR_PTR(-ENOTUNIQ) or
> ERR_PTR(-ENOLINK) on error situation.
>
> The current code dereferences isp->remote_src without checking
> for these error cases, which could lead to invalid memory access.
>
> Add IS_ERR() check before dereferencing the pointer.
>
> Fixes: d5f281f3dd29 ("media: mali-c55: Add Mali-C55 ISP driver")
> Signed-off-by: Alper Ak <alperyasinak1@...il.com>
> ---
>  drivers/media/platform/arm/mali-c55/mali-c55-isp.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/drivers/media/platform/arm/mali-c55/mali-c55-isp.c b/drivers/media/platform/arm/mali-c55/mali-c55-isp.c
> index 497f25fbdd13..ca1f0bde6f13 100644
> --- a/drivers/media/platform/arm/mali-c55/mali-c55-isp.c
> +++ b/drivers/media/platform/arm/mali-c55/mali-c55-isp.c
> @@ -359,7 +359,11 @@ static int mali_c55_isp_enable_streams(struct v4l2_subdev *sd,
>  	 */
>
>  	sink_pad = &isp->pads[MALI_C55_ISP_PAD_SINK_VIDEO];
> +
>  	isp->remote_src = media_pad_remote_pad_unique(sink_pad);
> +	if (IS_ERR(isp->remote_src))
> +		return PTR_ERR(isp->remote_src);
> +

To be honest I'm not sure if this can happen.

-ENOTUNIQ shouldn't be possible as we create a link for the single
subev connected to port 0

-ENOLINK shouldn't be possible as well, as if the remote subdev
doesn't bind we won't have a media graph at all

Being defensive it's always wise, but sometimes being too defensive
might result in the reader asking what the code is protecting against
if an error condition is impossible to reach.

Is there a case which I have missed which can lead to an error
condition ?

Thanks
  j

>  	src_sd = media_entity_to_v4l2_subdev(isp->remote_src->entity);
>
>  	isp->frame_sequence = 0;
> --
> 2.43.0
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ