Linux-Media Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v7 0/3] media: v4l2-subdev: Verify arguments in  v4l2_subdev_call()
@ 2019-05-20 20:50 Janusz Krzysztofik
  0 siblings, 0 replies; 6+ messages in thread
From: Janusz Krzysztofik @ 2019-05-20 20:50 UTC (permalink / raw)
  To: Mauro Carvalho Chehab
  Cc: Sakari Ailus, Hans Verkuil, linux-media, linux-kernel,
	Janusz Krzysztofik

Correctness of format type (try or active) and pad ID parameters passed
to subdevice operation callbacks is now verified only for IOCTL calls.
However, those callbacks are also used by drivers, e.g., V4L2 host
interfaces.
    
Since both subdev_do_ioctl() and drivers are using v4l2_subdev_call()
macro while calling subdevice operations, move those parameter checks
from subdev_do_ioctl() to v4l2_subdev_call().  Also, add check for
non-NULL pointers, including pad config if V4L2_SUBDEV_FORMAT_TRY is
requested.

Having that done, we can avoid taking care of those checks inside
drivers.

Janusz Krzysztofik (3):
  media: v4l2-subdev: Verify arguments in v4l2_subdev_call()
  media: v4l2-subdev: Verify v4l2_subdev_call() pointer arguments
  media: v4l2-subdev: Verify v4l2_subdev_call() pad config argument

 drivers/media/v4l2-core/v4l2-subdev.c | 268 +++++++++++++++++---------
 include/media/v4l2-subdev.h           |   6 +
 2 files changed, 188 insertions(+), 86 deletions(-)

Changelog:
v6->v7:
Changes suggested by Sakari - thanks!
- never succeed pad check on media entities with pad_num == 0,
- allow pad 0 on subdevies not registered as media entities.

v5->v6:
- rename wrappers to call_something() as suggested by Sakari - thanks!
- make check_ functions inline - also on Sakari's suggestion, thanks!
- drop patch 2/4 and remove WARN_ONs from remaining patches to avoid
  kernel WARNs on non-kernel bugs - thanks Hans for pointing this out!

v4->v5:
- a few coding style and code formatting changes,
- require CONFIG_MEDIA_CONTROLLER, not CONFIG_VIDEO_V4L2_SUBDEV_API,
  for a valid pad ID check,
- perform pad ID check only if at least one pad is configured so
  drivers which don't configure pads are not affected if built with
  CONFIG_MEDIA_CONTROLLER defined,
- issue kernel warnings on invalid parameters (new patch - 2/4),
- validate pointers before using them (new patch - 3/4).

v3->v4:
- fix 'struct' keyword missing from patch 2/2,
- fix checkpatch reported style issue in patch 2/2
Sorry for that.

v2->v3:
- add patch 2/2 with pad config check,
- adjust continuation line alignments in patch 1/2 to match those
  used in 2/2.

v1->v2:
- replace the horrible macro with a structure of wrapper functions;
  inspired by Hans' and Sakari's comments - thanks!

-- 
2.21.0


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v7 0/3] media: v4l2-subdev: Verify arguments in v4l2_subdev_call()
  2019-06-29  3:28 ` Niklas Söderlund
@ 2019-06-29  9:13   ` Hans Verkuil
  0 siblings, 0 replies; 6+ messages in thread
From: Hans Verkuil @ 2019-06-29  9:13 UTC (permalink / raw)
  To: Niklas Söderlund, Janusz Krzysztofik
  Cc: Mauro Carvalho Chehab, Sakari Ailus, linux-media, linux-kernel

On 6/29/19 5:28 AM, Niklas Söderlund wrote:
> Hi,
> 
> This patch breaks rcar-vin. I'm sorry I did not find out before it was 
> merged as a8fa55078a7784a9 ("media: v4l2-subdev: Verify arguments in 
> v4l2_subdev_call()").
> 
> The problem is that rcar-vin calls enum_mbus_code in its bound callback.  
> At this point call_enum_mbus_code() is invoked which then calls 
> check_pad(). At this point sd->entity.graph_obj.mdev is not set so the 
> check if (pad > 0) fails and the binding of the subdevice in rcar-vin 
> fails.
> 
> I'm not sure how to best solve this, suggestions are appreciated. I see 
> two options, move the call to enum_mbus_code from the bound to the 
> complete callback or make sure the mdev is associated with the subdev 
> before the bound callback is invoked. I don't like the former as I think 
> the complete callback should be removed ;-)

I don't think check_pad() should check mdev. Try this instead:

static inline int check_pad(struct v4l2_subdev *sd, __u32 pad)
{
#if defined(CONFIG_MEDIA_CONTROLLER)
	if (sd->entity.num_pads)
	        return pad >= sd->entity.num_pads ? -EINVAL : 0;
#endif
	/* allow pad 0 on subdevices not registered as media entities */
	return pad ? -EINVAL : 0;
}

If the subdev defines pads, then sd->entity.num_pads is non-zero and it can
be used to check the pad value, otherwise it should just only accept pad 0.

And it shouldn't depend on mdev, since that (as you discovered) may not be
set yet.

Regards,

	Hans

> 
> On 2019-05-20 23:27:44 +0200, Janusz Krzysztofik wrote:
>> Correctness of format type (try or active) and pad ID parameters passed
>> to subdevice operation callbacks is now verified only for IOCTL calls.
>> However, those callbacks are also used by drivers, e.g., V4L2 host
>> interfaces.
>>
>> Since both subdev_do_ioctl() and drivers are using v4l2_subdev_call()
>> macro while calling subdevice operations, move those parameter checks
>> from subdev_do_ioctl() to v4l2_subdev_call().  Also, add check for
>> non-NULL pointers, including pad config if V4L2_SUBDEV_FORMAT_TRY is
>> requested.
>>
>> Having that done, we can avoid taking care of those checks inside
>> drivers.
>>
>> Janusz Krzysztofik (3):
>>   media: v4l2-subdev: Verify arguments in v4l2_subdev_call()
>>   media: v4l2-subdev: Verify v4l2_subdev_call() pointer arguments
>>   media: v4l2-subdev: Verify v4l2_subdev_call() pad config argument
>>
>>  drivers/media/v4l2-core/v4l2-subdev.c | 268 +++++++++++++++++---------
>>  include/media/v4l2-subdev.h           |   6 +
>>  2 files changed, 188 insertions(+), 86 deletions(-)
>>
>> Changelog:
>> v6->v7:
>> Changes suggested by Sakari - thanks!
>> - never succeed pad check on media entities with pad_num == 0,
>> - allow pad 0 on subdevies not registered as media entities.
>>
>> v5->v6:
>> - rename wrappers to call_something() as suggested by Sakari - thanks!
>> - make check_ functions inline - also on Sakari's suggestion, thanks!
>> - drop patch 2/4 and remove WARN_ONs from remaining patches to avoid
>>   kernel WARNs on non-kernel bugs - thanks Hans for pointing this out!
>>
>> v4->v5:
>> - a few coding style and code formatting changes,
>> - require CONFIG_MEDIA_CONTROLLER, not CONFIG_VIDEO_V4L2_SUBDEV_API,
>>   for a valid pad ID check,
>> - perform pad ID check only if at least one pad is configured so
>>   drivers which don't configure pads are not affected if built with
>>   CONFIG_MEDIA_CONTROLLER defined,
>> - issue kernel warnings on invalid parameters (new patch - 2/4),
>> - validate pointers before using them (new patch - 3/4).
>>
>> v3->v4:
>> - fix 'struct' keyword missing from patch 2/2,
>> - fix checkpatch reported style issue in patch 2/2
>> Sorry for that.
>>
>> v2->v3:
>> - add patch 2/2 with pad config check,
>> - adjust continuation line alignments in patch 1/2 to match those
>>   used in 2/2.
>>
>> v1->v2:
>> - replace the horrible macro with a structure of wrapper functions;
>>   inspired by Hans' and Sakari's comments - thanks!
>>
>> -- 
>> 2.21.0
>>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v7 0/3] media: v4l2-subdev: Verify arguments in v4l2_subdev_call()
  2019-05-20 21:27 Janusz Krzysztofik
  2019-05-29 11:15 ` Sakari Ailus
  2019-06-17 12:53 ` Hans Verkuil
@ 2019-06-29  3:28 ` Niklas Söderlund
  2019-06-29  9:13   ` Hans Verkuil
  2 siblings, 1 reply; 6+ messages in thread
From: Niklas Söderlund @ 2019-06-29  3:28 UTC (permalink / raw)
  To: Janusz Krzysztofik
  Cc: Mauro Carvalho Chehab, Sakari Ailus, Hans Verkuil, linux-media,
	linux-kernel

Hi,

This patch breaks rcar-vin. I'm sorry I did not find out before it was 
merged as a8fa55078a7784a9 ("media: v4l2-subdev: Verify arguments in 
v4l2_subdev_call()").

The problem is that rcar-vin calls enum_mbus_code in its bound callback.  
At this point call_enum_mbus_code() is invoked which then calls 
check_pad(). At this point sd->entity.graph_obj.mdev is not set so the 
check if (pad > 0) fails and the binding of the subdevice in rcar-vin 
fails.

I'm not sure how to best solve this, suggestions are appreciated. I see 
two options, move the call to enum_mbus_code from the bound to the 
complete callback or make sure the mdev is associated with the subdev 
before the bound callback is invoked. I don't like the former as I think 
the complete callback should be removed ;-)

On 2019-05-20 23:27:44 +0200, Janusz Krzysztofik wrote:
> Correctness of format type (try or active) and pad ID parameters passed
> to subdevice operation callbacks is now verified only for IOCTL calls.
> However, those callbacks are also used by drivers, e.g., V4L2 host
> interfaces.
> 
> Since both subdev_do_ioctl() and drivers are using v4l2_subdev_call()
> macro while calling subdevice operations, move those parameter checks
> from subdev_do_ioctl() to v4l2_subdev_call().  Also, add check for
> non-NULL pointers, including pad config if V4L2_SUBDEV_FORMAT_TRY is
> requested.
> 
> Having that done, we can avoid taking care of those checks inside
> drivers.
> 
> Janusz Krzysztofik (3):
>   media: v4l2-subdev: Verify arguments in v4l2_subdev_call()
>   media: v4l2-subdev: Verify v4l2_subdev_call() pointer arguments
>   media: v4l2-subdev: Verify v4l2_subdev_call() pad config argument
> 
>  drivers/media/v4l2-core/v4l2-subdev.c | 268 +++++++++++++++++---------
>  include/media/v4l2-subdev.h           |   6 +
>  2 files changed, 188 insertions(+), 86 deletions(-)
> 
> Changelog:
> v6->v7:
> Changes suggested by Sakari - thanks!
> - never succeed pad check on media entities with pad_num == 0,
> - allow pad 0 on subdevies not registered as media entities.
> 
> v5->v6:
> - rename wrappers to call_something() as suggested by Sakari - thanks!
> - make check_ functions inline - also on Sakari's suggestion, thanks!
> - drop patch 2/4 and remove WARN_ONs from remaining patches to avoid
>   kernel WARNs on non-kernel bugs - thanks Hans for pointing this out!
> 
> v4->v5:
> - a few coding style and code formatting changes,
> - require CONFIG_MEDIA_CONTROLLER, not CONFIG_VIDEO_V4L2_SUBDEV_API,
>   for a valid pad ID check,
> - perform pad ID check only if at least one pad is configured so
>   drivers which don't configure pads are not affected if built with
>   CONFIG_MEDIA_CONTROLLER defined,
> - issue kernel warnings on invalid parameters (new patch - 2/4),
> - validate pointers before using them (new patch - 3/4).
> 
> v3->v4:
> - fix 'struct' keyword missing from patch 2/2,
> - fix checkpatch reported style issue in patch 2/2
> Sorry for that.
> 
> v2->v3:
> - add patch 2/2 with pad config check,
> - adjust continuation line alignments in patch 1/2 to match those
>   used in 2/2.
> 
> v1->v2:
> - replace the horrible macro with a structure of wrapper functions;
>   inspired by Hans' and Sakari's comments - thanks!
> 
> -- 
> 2.21.0
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v7 0/3] media: v4l2-subdev: Verify arguments in v4l2_subdev_call()
  2019-05-20 21:27 Janusz Krzysztofik
  2019-05-29 11:15 ` Sakari Ailus
@ 2019-06-17 12:53 ` Hans Verkuil
  2019-06-29  3:28 ` Niklas Söderlund
  2 siblings, 0 replies; 6+ messages in thread
From: Hans Verkuil @ 2019-06-17 12:53 UTC (permalink / raw)
  To: Janusz Krzysztofik, Mauro Carvalho Chehab
  Cc: Sakari Ailus, linux-media, linux-kernel

Sakari,

Are you OK with this series? Please Ack if that's the case, so that I can
merge it.

Regards,

	Hans

On 5/20/19 11:27 PM, Janusz Krzysztofik wrote:
> Correctness of format type (try or active) and pad ID parameters passed
> to subdevice operation callbacks is now verified only for IOCTL calls.
> However, those callbacks are also used by drivers, e.g., V4L2 host
> interfaces.
> 
> Since both subdev_do_ioctl() and drivers are using v4l2_subdev_call()
> macro while calling subdevice operations, move those parameter checks
> from subdev_do_ioctl() to v4l2_subdev_call().  Also, add check for
> non-NULL pointers, including pad config if V4L2_SUBDEV_FORMAT_TRY is
> requested.
> 
> Having that done, we can avoid taking care of those checks inside
> drivers.
> 
> Janusz Krzysztofik (3):
>   media: v4l2-subdev: Verify arguments in v4l2_subdev_call()
>   media: v4l2-subdev: Verify v4l2_subdev_call() pointer arguments
>   media: v4l2-subdev: Verify v4l2_subdev_call() pad config argument
> 
>  drivers/media/v4l2-core/v4l2-subdev.c | 268 +++++++++++++++++---------
>  include/media/v4l2-subdev.h           |   6 +
>  2 files changed, 188 insertions(+), 86 deletions(-)
> 
> Changelog:
> v6->v7:
> Changes suggested by Sakari - thanks!
> - never succeed pad check on media entities with pad_num == 0,
> - allow pad 0 on subdevies not registered as media entities.
> 
> v5->v6:
> - rename wrappers to call_something() as suggested by Sakari - thanks!
> - make check_ functions inline - also on Sakari's suggestion, thanks!
> - drop patch 2/4 and remove WARN_ONs from remaining patches to avoid
>   kernel WARNs on non-kernel bugs - thanks Hans for pointing this out!
> 
> v4->v5:
> - a few coding style and code formatting changes,
> - require CONFIG_MEDIA_CONTROLLER, not CONFIG_VIDEO_V4L2_SUBDEV_API,
>   for a valid pad ID check,
> - perform pad ID check only if at least one pad is configured so
>   drivers which don't configure pads are not affected if built with
>   CONFIG_MEDIA_CONTROLLER defined,
> - issue kernel warnings on invalid parameters (new patch - 2/4),
> - validate pointers before using them (new patch - 3/4).
> 
> v3->v4:
> - fix 'struct' keyword missing from patch 2/2,
> - fix checkpatch reported style issue in patch 2/2
> Sorry for that.
> 
> v2->v3:
> - add patch 2/2 with pad config check,
> - adjust continuation line alignments in patch 1/2 to match those
>   used in 2/2.
> 
> v1->v2:
> - replace the horrible macro with a structure of wrapper functions;
>   inspired by Hans' and Sakari's comments - thanks!
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v7 0/3] media: v4l2-subdev: Verify arguments in v4l2_subdev_call()
  2019-05-20 21:27 Janusz Krzysztofik
@ 2019-05-29 11:15 ` Sakari Ailus
  2019-06-17 12:53 ` Hans Verkuil
  2019-06-29  3:28 ` Niklas Söderlund
  2 siblings, 0 replies; 6+ messages in thread
From: Sakari Ailus @ 2019-05-29 11:15 UTC (permalink / raw)
  To: Janusz Krzysztofik
  Cc: Mauro Carvalho Chehab, Hans Verkuil, linux-media, linux-kernel

Hi Janusz,

On Mon, May 20, 2019 at 11:27:44PM +0200, Janusz Krzysztofik wrote:
> Correctness of format type (try or active) and pad ID parameters passed
> to subdevice operation callbacks is now verified only for IOCTL calls.
> However, those callbacks are also used by drivers, e.g., V4L2 host
> interfaces.
> 
> Since both subdev_do_ioctl() and drivers are using v4l2_subdev_call()
> macro while calling subdevice operations, move those parameter checks
> from subdev_do_ioctl() to v4l2_subdev_call().  Also, add check for
> non-NULL pointers, including pad config if V4L2_SUBDEV_FORMAT_TRY is
> requested.
> 
> Having that done, we can avoid taking care of those checks inside
> drivers.
> 
> Janusz Krzysztofik (3):
>   media: v4l2-subdev: Verify arguments in v4l2_subdev_call()
>   media: v4l2-subdev: Verify v4l2_subdev_call() pointer arguments
>   media: v4l2-subdev: Verify v4l2_subdev_call() pad config argument

For the set:

Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>

On the 1st patch __u32 should be u32. I'd suggest to fix that in a separate
patch.

This was a really nice set. Thank you!

-- 
Kind regards,

Sakari Ailus
sakari.ailus@linux.intel.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH v7 0/3] media: v4l2-subdev: Verify arguments in v4l2_subdev_call()
@ 2019-05-20 21:27 Janusz Krzysztofik
  2019-05-29 11:15 ` Sakari Ailus
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Janusz Krzysztofik @ 2019-05-20 21:27 UTC (permalink / raw)
  To: Mauro Carvalho Chehab
  Cc: Sakari Ailus, Hans Verkuil, linux-media, linux-kernel,
	Janusz Krzysztofik

Correctness of format type (try or active) and pad ID parameters passed
to subdevice operation callbacks is now verified only for IOCTL calls.
However, those callbacks are also used by drivers, e.g., V4L2 host
interfaces.

Since both subdev_do_ioctl() and drivers are using v4l2_subdev_call()
macro while calling subdevice operations, move those parameter checks
from subdev_do_ioctl() to v4l2_subdev_call().  Also, add check for
non-NULL pointers, including pad config if V4L2_SUBDEV_FORMAT_TRY is
requested.

Having that done, we can avoid taking care of those checks inside
drivers.

Janusz Krzysztofik (3):
  media: v4l2-subdev: Verify arguments in v4l2_subdev_call()
  media: v4l2-subdev: Verify v4l2_subdev_call() pointer arguments
  media: v4l2-subdev: Verify v4l2_subdev_call() pad config argument

 drivers/media/v4l2-core/v4l2-subdev.c | 268 +++++++++++++++++---------
 include/media/v4l2-subdev.h           |   6 +
 2 files changed, 188 insertions(+), 86 deletions(-)

Changelog:
v6->v7:
Changes suggested by Sakari - thanks!
- never succeed pad check on media entities with pad_num == 0,
- allow pad 0 on subdevies not registered as media entities.

v5->v6:
- rename wrappers to call_something() as suggested by Sakari - thanks!
- make check_ functions inline - also on Sakari's suggestion, thanks!
- drop patch 2/4 and remove WARN_ONs from remaining patches to avoid
  kernel WARNs on non-kernel bugs - thanks Hans for pointing this out!

v4->v5:
- a few coding style and code formatting changes,
- require CONFIG_MEDIA_CONTROLLER, not CONFIG_VIDEO_V4L2_SUBDEV_API,
  for a valid pad ID check,
- perform pad ID check only if at least one pad is configured so
  drivers which don't configure pads are not affected if built with
  CONFIG_MEDIA_CONTROLLER defined,
- issue kernel warnings on invalid parameters (new patch - 2/4),
- validate pointers before using them (new patch - 3/4).

v3->v4:
- fix 'struct' keyword missing from patch 2/2,
- fix checkpatch reported style issue in patch 2/2
Sorry for that.

v2->v3:
- add patch 2/2 with pad config check,
- adjust continuation line alignments in patch 1/2 to match those
  used in 2/2.

v1->v2:
- replace the horrible macro with a structure of wrapper functions;
  inspired by Hans' and Sakari's comments - thanks!

-- 
2.21.0


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-20 20:50 [PATCH v7 0/3] media: v4l2-subdev: Verify arguments in v4l2_subdev_call() Janusz Krzysztofik
2019-05-20 21:27 Janusz Krzysztofik
2019-05-29 11:15 ` Sakari Ailus
2019-06-17 12:53 ` Hans Verkuil
2019-06-29  3:28 ` Niklas Söderlund
2019-06-29  9:13   ` Hans Verkuil

Linux-Media Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-media/0 linux-media/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-media linux-media/ https://lore.kernel.org/linux-media \
		linux-media@vger.kernel.org linux-media@archiver.kernel.org
	public-inbox-index linux-media


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-media


AGPL code for this site: git clone https://public-inbox.org/ public-inbox