linux-media.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] media: rcar-csi2: Add checking to rcsi2_start_receiver().
@ 2021-08-11 13:31 Nadezda Lutovinova
  2021-08-11 13:45 ` Niklas Söderlund
  0 siblings, 1 reply; 5+ messages in thread
From: Nadezda Lutovinova @ 2021-08-11 13:31 UTC (permalink / raw)
  To: Niklas Söderlund
  Cc: Nadezda Lutovinova, Mauro Carvalho Chehab, linux-media,
	linux-renesas-soc, linux-kernel, ldv-project

If rcsi2_code_to_fmt() return NULL,
then null pointer dereference occurs in the next cycle.
The patch adds checking if format is NULL.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
---
 drivers/media/platform/rcar-vin/rcar-csi2.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c
index e28eff039688..55bb584d2a13 100644
--- a/drivers/media/platform/rcar-vin/rcar-csi2.c
+++ b/drivers/media/platform/rcar-vin/rcar-csi2.c
@@ -553,6 +553,12 @@ static int rcsi2_start_receiver(struct rcar_csi2 *priv)
 
 	/* Code is validated in set_fmt. */
 	format = rcsi2_code_to_fmt(priv->mf.code);
+	if (!format) {
+		dev_err(priv->dev,
+			"Incorrect mbus frame format code %u\n",
+			priv->mf.code);
+		return -EINVAL;
+	}
 
 	/*
 	 * Enable all supported CSI-2 channels with virtual channel and
-- 
2.17.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] media: rcar-csi2: Add checking to rcsi2_start_receiver().
  2021-08-11 13:31 [PATCH] media: rcar-csi2: Add checking to rcsi2_start_receiver() Nadezda Lutovinova
@ 2021-08-11 13:45 ` Niklas Söderlund
  2021-08-11 17:18   ` [PATCH v2] " Nadezda Lutovinova
  0 siblings, 1 reply; 5+ messages in thread
From: Niklas Söderlund @ 2021-08-11 13:45 UTC (permalink / raw)
  To: Nadezda Lutovinova
  Cc: Mauro Carvalho Chehab, linux-media, linux-renesas-soc,
	linux-kernel, ldv-project

Hi Nadezda,

Thanks for your work.

On 2021-08-11 16:31:42 +0300, Nadezda Lutovinova wrote:
> If rcsi2_code_to_fmt() return NULL,
> then null pointer dereference occurs in the next cycle.
> The patch adds checking if format is NULL.
> 
> Found by Linux Driver Verification project (linuxtesting.org).

Please drop the '.' at the end of the patch subject. Also the commit 
message could be better line wrapped.

> 
> Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
> ---
>  drivers/media/platform/rcar-vin/rcar-csi2.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c
> index e28eff039688..55bb584d2a13 100644
> --- a/drivers/media/platform/rcar-vin/rcar-csi2.c
> +++ b/drivers/media/platform/rcar-vin/rcar-csi2.c
> @@ -553,6 +553,12 @@ static int rcsi2_start_receiver(struct rcar_csi2 *priv)
>  
>  	/* Code is validated in set_fmt. */
>  	format = rcsi2_code_to_fmt(priv->mf.code);
> +	if (!format) {

This can never happen ;-)

The only place priv->mf.code is set (after probe) is in  
rcsi2_set_pad_format() and there it explicitly checks if 
rcsi2_code_to_fmt() returns NULl and if so sets it to something that 
guarantees it will not.

Think of it as the verification is done at format configuration time so 
we don't have to have check it at start time. The reason for this is 
that we can't do much about a failure here other then fail the start 
while at configure time we can try to correct it and inform the user of 
the change.

That being said, I'm not oppose to fail the start here if we ever do 
introduce a bug here where rcsi2_code_to_fmt() would return NULL here.  
But I would like to drop the dev_err() here and just return -EINVAL.

I would mention in the commit message that this protects from future 
bugs.

> +		dev_err(priv->dev,
> +			"Incorrect mbus frame format code %u\n",
> +			priv->mf.code);
> +		return -EINVAL;
> +	}
>  
>  	/*
>  	 * Enable all supported CSI-2 channels with virtual channel and
> -- 
> 2.17.1
> 

-- 
Regards,
Niklas Söderlund

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH v2] media: rcar-csi2: Add checking to rcsi2_start_receiver()
  2021-08-11 13:45 ` Niklas Söderlund
@ 2021-08-11 17:18   ` Nadezda Lutovinova
  2021-08-12  9:16     ` Jacopo Mondi
  2021-08-12  9:30     ` Niklas Söderlund
  0 siblings, 2 replies; 5+ messages in thread
From: Nadezda Lutovinova @ 2021-08-11 17:18 UTC (permalink / raw)
  To: Niklas Söderlund
  Cc: Nadezda Lutovinova, Mauro Carvalho Chehab, linux-media,
	linux-renesas-soc, linux-kernel, ldv-project

If rcsi2_code_to_fmt() return NULL, then null pointer dereference occurs 
in the next cycle. That should not be possible now but adding checking 
protects from future bugs.
The patch adds checking if format is NULL.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
---
v2: fix subject and commit message, remove dev_err()
---
 drivers/media/platform/rcar-vin/rcar-csi2.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c
index e28eff039688..d28f83f7698b 100644
--- a/drivers/media/platform/rcar-vin/rcar-csi2.c
+++ b/drivers/media/platform/rcar-vin/rcar-csi2.c
@@ -553,6 +553,8 @@ static int rcsi2_start_receiver(struct rcar_csi2 *priv)
 
 	/* Code is validated in set_fmt. */
 	format = rcsi2_code_to_fmt(priv->mf.code);
+	if (!format)
+		return -EINVAL;
 
 	/*
 	 * Enable all supported CSI-2 channels with virtual channel and
-- 
2.17.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] media: rcar-csi2: Add checking to rcsi2_start_receiver()
  2021-08-11 17:18   ` [PATCH v2] " Nadezda Lutovinova
@ 2021-08-12  9:16     ` Jacopo Mondi
  2021-08-12  9:30     ` Niklas Söderlund
  1 sibling, 0 replies; 5+ messages in thread
From: Jacopo Mondi @ 2021-08-12  9:16 UTC (permalink / raw)
  To: Nadezda Lutovinova
  Cc: Niklas Söderlund, Mauro Carvalho Chehab, linux-media,
	linux-renesas-soc, linux-kernel, ldv-project

Hello Nadezda,

On Wed, Aug 11, 2021 at 08:18:16PM +0300, Nadezda Lutovinova wrote:
> If rcsi2_code_to_fmt() return NULL, then null pointer dereference occurs
> in the next cycle. That should not be possible now but adding checking
> protects from future bugs.
> The patch adds checking if format is NULL.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>

Reviewed-by: Jacopo Mondi <jacopo@jmondi.org>

Thanks
   j

> ---
> v2: fix subject and commit message, remove dev_err()
> ---
>  drivers/media/platform/rcar-vin/rcar-csi2.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c
> index e28eff039688..d28f83f7698b 100644
> --- a/drivers/media/platform/rcar-vin/rcar-csi2.c
> +++ b/drivers/media/platform/rcar-vin/rcar-csi2.c
> @@ -553,6 +553,8 @@ static int rcsi2_start_receiver(struct rcar_csi2 *priv)
>
>  	/* Code is validated in set_fmt. */
>  	format = rcsi2_code_to_fmt(priv->mf.code);
> +	if (!format)
> +		return -EINVAL;
>
>  	/*
>  	 * Enable all supported CSI-2 channels with virtual channel and
> --
> 2.17.1
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] media: rcar-csi2: Add checking to rcsi2_start_receiver()
  2021-08-11 17:18   ` [PATCH v2] " Nadezda Lutovinova
  2021-08-12  9:16     ` Jacopo Mondi
@ 2021-08-12  9:30     ` Niklas Söderlund
  1 sibling, 0 replies; 5+ messages in thread
From: Niklas Söderlund @ 2021-08-12  9:30 UTC (permalink / raw)
  To: Nadezda Lutovinova
  Cc: Mauro Carvalho Chehab, linux-media, linux-renesas-soc,
	linux-kernel, ldv-project

Hi Nadezda,

Thanks for your patch.

On 2021-08-11 20:18:16 +0300, Nadezda Lutovinova wrote:
> If rcsi2_code_to_fmt() return NULL, then null pointer dereference occurs 
> in the next cycle. That should not be possible now but adding checking 
> protects from future bugs.
> The patch adds checking if format is NULL.
> 
> Found by Linux Driver Verification project (linuxtesting.org).
> 
> Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>

Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>

> ---
> v2: fix subject and commit message, remove dev_err()
> ---
>  drivers/media/platform/rcar-vin/rcar-csi2.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c
> index e28eff039688..d28f83f7698b 100644
> --- a/drivers/media/platform/rcar-vin/rcar-csi2.c
> +++ b/drivers/media/platform/rcar-vin/rcar-csi2.c
> @@ -553,6 +553,8 @@ static int rcsi2_start_receiver(struct rcar_csi2 *priv)
>  
>  	/* Code is validated in set_fmt. */
>  	format = rcsi2_code_to_fmt(priv->mf.code);
> +	if (!format)
> +		return -EINVAL;
>  
>  	/*
>  	 * Enable all supported CSI-2 channels with virtual channel and
> -- 
> 2.17.1
> 

-- 
Regards,
Niklas Söderlund

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-08-12  9:30 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-11 13:31 [PATCH] media: rcar-csi2: Add checking to rcsi2_start_receiver() Nadezda Lutovinova
2021-08-11 13:45 ` Niklas Söderlund
2021-08-11 17:18   ` [PATCH v2] " Nadezda Lutovinova
2021-08-12  9:16     ` Jacopo Mondi
2021-08-12  9:30     ` Niklas Söderlund

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).