* [PATCH] media: ti-vpe: cal: fix write to unallocated memory
@ 2021-01-13 9:00 Tomi Valkeinen
2021-01-13 9:06 ` Tomi Valkeinen
2021-01-14 2:29 ` Laurent Pinchart
0 siblings, 2 replies; 4+ messages in thread
From: Tomi Valkeinen @ 2021-01-13 9:00 UTC (permalink / raw)
To: Benoit Parrot, Laurent Pinchart, linux-media; +Cc: Tomi Valkeinen
The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be
of size cal_v4l2_async_subdev, otherwise access to
cal_v4l2_async_subdev->phy will go to unallocated memory.
Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier")
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
---
drivers/media/platform/ti-vpe/cal.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
index 59a0266b1f39..2eef245c31a1 100644
--- a/drivers/media/platform/ti-vpe/cal.c
+++ b/drivers/media/platform/ti-vpe/cal.c
@@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data)
*/
struct cal_v4l2_async_subdev {
- struct v4l2_async_subdev asd;
+ struct v4l2_async_subdev asd; /* Must be first */
struct cal_camerarx *phy;
};
@@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal)
fwnode = of_fwnode_handle(phy->sensor_node);
asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier,
fwnode,
- sizeof(*asd));
+ sizeof(*casd));
if (IS_ERR(asd)) {
phy_err(phy, "Failed to add subdev to notifier\n");
ret = PTR_ERR(asd);
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] media: ti-vpe: cal: fix write to unallocated memory
2021-01-13 9:00 [PATCH] media: ti-vpe: cal: fix write to unallocated memory Tomi Valkeinen
@ 2021-01-13 9:06 ` Tomi Valkeinen
2021-01-13 17:22 ` Ezequiel Garcia
2021-01-14 2:29 ` Laurent Pinchart
1 sibling, 1 reply; 4+ messages in thread
From: Tomi Valkeinen @ 2021-01-13 9:06 UTC (permalink / raw)
To: Benoit Parrot, Laurent Pinchart, linux-media; +Cc: stable
On 13/01/2021 11:00, Tomi Valkeinen wrote:
> The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be
> of size cal_v4l2_async_subdev, otherwise access to
> cal_v4l2_async_subdev->phy will go to unallocated memory.
>
> Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier")
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Ah, I forgot to add:
Cc: stable@vger.kernel.org # 5.9+
> ---
> drivers/media/platform/ti-vpe/cal.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
> index 59a0266b1f39..2eef245c31a1 100644
> --- a/drivers/media/platform/ti-vpe/cal.c
> +++ b/drivers/media/platform/ti-vpe/cal.c
> @@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data)
> */
>
> struct cal_v4l2_async_subdev {
> - struct v4l2_async_subdev asd;
> + struct v4l2_async_subdev asd; /* Must be first */
> struct cal_camerarx *phy;
> };
>
> @@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal)
> fwnode = of_fwnode_handle(phy->sensor_node);
> asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier,
> fwnode,
> - sizeof(*asd));
> + sizeof(*casd));
> if (IS_ERR(asd)) {
> phy_err(phy, "Failed to add subdev to notifier\n");
> ret = PTR_ERR(asd);
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] media: ti-vpe: cal: fix write to unallocated memory
2021-01-13 9:06 ` Tomi Valkeinen
@ 2021-01-13 17:22 ` Ezequiel Garcia
0 siblings, 0 replies; 4+ messages in thread
From: Ezequiel Garcia @ 2021-01-13 17:22 UTC (permalink / raw)
To: Tomi Valkeinen; +Cc: Benoit Parrot, Laurent Pinchart, linux-media, stable
On Wed, 13 Jan 2021 at 06:08, Tomi Valkeinen
<tomi.valkeinen@ideasonboard.com> wrote:
>
> On 13/01/2021 11:00, Tomi Valkeinen wrote:
> > The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be
> > of size cal_v4l2_async_subdev, otherwise access to
> > cal_v4l2_async_subdev->phy will go to unallocated memory.
> >
> > Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier")
> > Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
>
> Ah, I forgot to add:
>
> Cc: stable@vger.kernel.org # 5.9+
>
Nice catch. I missed users of v4l2_async_notifier_add_fwnode_subdev
in my recent cleanup series.
Reviewed-by: Ezequiel Garcia <ezequiel@collabora.com>
Thanks,
Ezequiel
> > ---
> > drivers/media/platform/ti-vpe/cal.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
> > index 59a0266b1f39..2eef245c31a1 100644
> > --- a/drivers/media/platform/ti-vpe/cal.c
> > +++ b/drivers/media/platform/ti-vpe/cal.c
> > @@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data)
> > */
> >
> > struct cal_v4l2_async_subdev {
> > - struct v4l2_async_subdev asd;
> > + struct v4l2_async_subdev asd; /* Must be first */
> > struct cal_camerarx *phy;
> > };
> >
> > @@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal)
> > fwnode = of_fwnode_handle(phy->sensor_node);
> > asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier,
> > fwnode,
> > - sizeof(*asd));
> > + sizeof(*casd));
> > if (IS_ERR(asd)) {
> > phy_err(phy, "Failed to add subdev to notifier\n");
> > ret = PTR_ERR(asd);
> >
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] media: ti-vpe: cal: fix write to unallocated memory
2021-01-13 9:00 [PATCH] media: ti-vpe: cal: fix write to unallocated memory Tomi Valkeinen
2021-01-13 9:06 ` Tomi Valkeinen
@ 2021-01-14 2:29 ` Laurent Pinchart
1 sibling, 0 replies; 4+ messages in thread
From: Laurent Pinchart @ 2021-01-14 2:29 UTC (permalink / raw)
To: Tomi Valkeinen; +Cc: Benoit Parrot, linux-media
Hi Tomi,
Thank you for the patch.
On Wed, Jan 13, 2021 at 11:00:27AM +0200, Tomi Valkeinen wrote:
> The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be
> of size cal_v4l2_async_subdev, otherwise access to
> cal_v4l2_async_subdev->phy will go to unallocated memory.
>
> Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier")
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
> ---
> drivers/media/platform/ti-vpe/cal.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
> index 59a0266b1f39..2eef245c31a1 100644
> --- a/drivers/media/platform/ti-vpe/cal.c
> +++ b/drivers/media/platform/ti-vpe/cal.c
> @@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data)
> */
>
> struct cal_v4l2_async_subdev {
> - struct v4l2_async_subdev asd;
> + struct v4l2_async_subdev asd; /* Must be first */
> struct cal_camerarx *phy;
> };
>
> @@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal)
> fwnode = of_fwnode_handle(phy->sensor_node);
> asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier,
> fwnode,
> - sizeof(*asd));
> + sizeof(*casd));
Ouch :-S
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> if (IS_ERR(asd)) {
> phy_err(phy, "Failed to add subdev to notifier\n");
> ret = PTR_ERR(asd);
--
Regards,
Laurent Pinchart
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-14 2:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-13 9:00 [PATCH] media: ti-vpe: cal: fix write to unallocated memory Tomi Valkeinen
2021-01-13 9:06 ` Tomi Valkeinen
2021-01-13 17:22 ` Ezequiel Garcia
2021-01-14 2:29 ` Laurent Pinchart
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).