From: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
To: linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org,
linux-media@vger.kernel.org
Cc: matthias.bgg@gmail.com, mchehab@kernel.org, hverkuil@xs4all.nl,
kernel@collabora.com, dafna3@gmail.com,
enric.balletbo@collabora.com, dafna.hirschfeld@collabora.com
Subject: [PATCH] media: mtk-mdp: Fix Null pointer dereference when calling list_add
Date: Fri, 28 Aug 2020 15:55:41 +0200 [thread overview]
Message-ID: <20200828135541.8282-1-dafna.hirschfeld@collabora.com> (raw)
In list_add, the first variable is the new node and the second
is the list head. The function is called with a wrong order causing
NULL dereference:
[ 15.527030] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
[ 15.542317] Mem abort info:
[ 15.545152] ESR = 0x96000044
[ 15.548248] EC = 0x25: DABT (current EL), IL = 32 bits
[ 15.553624] SET = 0, FnV = 0
[ 15.556715] EA = 0, S1PTW = 0
[ 15.559892] Data abort info:
[ 15.562799] ISV = 0, ISS = 0x00000044
[ 15.566678] CM = 0, WnR = 1
[ 15.569683] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001373f0000
[ 15.576196] [0000000000000008] pgd=0000000000000000, p4d=0000000000000000
[ 15.583101] Internal error: Oops: 96000044 [#1] PREEMPT SMP
[ 15.588747] Modules linked in: mtk_mdp(+) cfg80211 v4l2_mem2mem videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videobuf2_common vide
odev mt8173_rt5650 smsc95xx usbnet ecdh_generic ecc snd_soc_rt5645 mc mt8173_afe_pcm rfkill cros_ec_sensors snd_soc_mtk_common elan_i2c crct10dif_ce cros_ec_se
nsors_core snd_soc_rl6231 elants_i2c industrialio_triggered_buffer kfifo_buf mtk_vpu cros_ec_chardev cros_usbpd_charger cros_usbpd_logger sbs_battery display_c
onnector pwm_bl ip_tables x_tables ipv6
[ 15.634295] CPU: 0 PID: 188 Comm: systemd-udevd Not tainted 5.9.0-rc2+ #69
[ 15.641242] Hardware name: Google Elm (DT)
[ 15.645381] pstate: 20000005 (nzCv daif -PAN -UAO BTYPE=--)
[ 15.651022] pc : mtk_mdp_probe+0x134/0x3a8 [mtk_mdp]
[ 15.656041] lr : mtk_mdp_probe+0x128/0x3a8 [mtk_mdp]
[ 15.661055] sp : ffff80001255b910
[ 15.669548] x29: ffff80001255b910 x28: 0000000000000000
[ 15.679973] x27: ffff800009089bf8 x26: ffff0000fafde800
[ 15.690347] x25: ffff0000ff7d2768 x24: ffff800009089010
[ 15.700670] x23: ffff0000f01a7cd8 x22: ffff0000fafde810
[ 15.710940] x21: ffff0000f01a7c80 x20: ffff0000f0c3c180
[ 15.721148] x19: ffff0000ff7f1618 x18: 0000000000000010
[ 15.731289] x17: 0000000000000000 x16: 0000000000000000
[ 15.741375] x15: 0000000000aaaaaa x14: 0000000000000020
[ 15.751399] x13: 00000000ffffffff x12: 0000000000000020
[ 15.761363] x11: 0000000000000028 x10: 0101010101010101
[ 15.771279] x9 : 0000000000000004 x8 : 7f7f7f7f7f7f7f7f
[ 15.781148] x7 : 646bff6171606b2b x6 : 0000000000806d65
[ 15.790981] x5 : ffff0000ff7f8360 x4 : 0000000000000000
[ 15.800767] x3 : 0000000000000004 x2 : 0000000000000001
[ 15.810501] x1 : 0000000000000005 x0 : 0000000000000000
[ 15.820171] Call trace:
[ 15.826944] mtk_mdp_probe+0x134/0x3a8 [mtk_mdp]
[ 15.835908] platform_drv_probe+0x54/0xa8
[ 15.844247] really_probe+0xe4/0x3b0
[ 15.852104] driver_probe_device+0x58/0xb8
[ 15.860457] device_driver_attach+0x74/0x80
[ 15.868854] __driver_attach+0x58/0xe0
[ 15.876770] bus_for_each_dev+0x70/0xc0
[ 15.884726] driver_attach+0x24/0x30
[ 15.892374] bus_add_driver+0x14c/0x1f0
[ 15.900295] driver_register+0x64/0x120
[ 15.908168] __platform_driver_register+0x48/0x58
[ 15.916864] mtk_mdp_driver_init+0x20/0x1000 [mtk_mdp]
[ 15.925943] do_one_initcall+0x54/0x1b4
[ 15.933662] do_init_module+0x54/0x200
[ 15.941246] load_module+0x1cf8/0x22d0
[ 15.948798] __do_sys_finit_module+0xd8/0xf0
[ 15.956829] __arm64_sys_finit_module+0x20/0x30
[ 15.965082] el0_svc_common.constprop.0+0x6c/0x168
[ 15.973527] do_el0_svc+0x24/0x90
[ 15.980403] el0_sync_handler+0x90/0x198
[ 15.987867] el0_sync+0x158/0x180
[ 15.994653] Code: 9400014b 2a0003fc 35000920 f9400280 (f9000417)
[ 16.004299] ---[ end trace 76fee0203f9898e5 ]---
Fixes: 86698b9505bbc ("media: mtk-mdp: convert mtk_mdp_dev.comp array to list")
Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
---
drivers/media/platform/mtk-mdp/mtk_mdp_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/mtk-mdp/mtk_mdp_core.c b/drivers/media/platform/mtk-mdp/mtk_mdp_core.c
index f96c8b3bf861..976aa1f4829b 100644
--- a/drivers/media/platform/mtk-mdp/mtk_mdp_core.c
+++ b/drivers/media/platform/mtk-mdp/mtk_mdp_core.c
@@ -94,7 +94,7 @@ static void mtk_mdp_reset_handler(void *priv)
void mtk_mdp_register_component(struct mtk_mdp_dev *mdp,
struct mtk_mdp_comp *comp)
{
- list_add(&mdp->comp_list, &comp->node);
+ list_add(&comp->node, &mdp->comp_list);
}
void mtk_mdp_unregister_component(struct mtk_mdp_dev *mdp,
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
To: linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org,
linux-media@vger.kernel.org
Cc: kernel@collabora.com, dafna.hirschfeld@collabora.com,
dafna3@gmail.com, hverkuil@xs4all.nl,
enric.balletbo@collabora.com, matthias.bgg@gmail.com,
mchehab@kernel.org
Subject: [PATCH] media: mtk-mdp: Fix Null pointer dereference when calling list_add
Date: Fri, 28 Aug 2020 15:55:41 +0200 [thread overview]
Message-ID: <20200828135541.8282-1-dafna.hirschfeld@collabora.com> (raw)
In list_add, the first variable is the new node and the second
is the list head. The function is called with a wrong order causing
NULL dereference:
[ 15.527030] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
[ 15.542317] Mem abort info:
[ 15.545152] ESR = 0x96000044
[ 15.548248] EC = 0x25: DABT (current EL), IL = 32 bits
[ 15.553624] SET = 0, FnV = 0
[ 15.556715] EA = 0, S1PTW = 0
[ 15.559892] Data abort info:
[ 15.562799] ISV = 0, ISS = 0x00000044
[ 15.566678] CM = 0, WnR = 1
[ 15.569683] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001373f0000
[ 15.576196] [0000000000000008] pgd=0000000000000000, p4d=0000000000000000
[ 15.583101] Internal error: Oops: 96000044 [#1] PREEMPT SMP
[ 15.588747] Modules linked in: mtk_mdp(+) cfg80211 v4l2_mem2mem videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videobuf2_common vide
odev mt8173_rt5650 smsc95xx usbnet ecdh_generic ecc snd_soc_rt5645 mc mt8173_afe_pcm rfkill cros_ec_sensors snd_soc_mtk_common elan_i2c crct10dif_ce cros_ec_se
nsors_core snd_soc_rl6231 elants_i2c industrialio_triggered_buffer kfifo_buf mtk_vpu cros_ec_chardev cros_usbpd_charger cros_usbpd_logger sbs_battery display_c
onnector pwm_bl ip_tables x_tables ipv6
[ 15.634295] CPU: 0 PID: 188 Comm: systemd-udevd Not tainted 5.9.0-rc2+ #69
[ 15.641242] Hardware name: Google Elm (DT)
[ 15.645381] pstate: 20000005 (nzCv daif -PAN -UAO BTYPE=--)
[ 15.651022] pc : mtk_mdp_probe+0x134/0x3a8 [mtk_mdp]
[ 15.656041] lr : mtk_mdp_probe+0x128/0x3a8 [mtk_mdp]
[ 15.661055] sp : ffff80001255b910
[ 15.669548] x29: ffff80001255b910 x28: 0000000000000000
[ 15.679973] x27: ffff800009089bf8 x26: ffff0000fafde800
[ 15.690347] x25: ffff0000ff7d2768 x24: ffff800009089010
[ 15.700670] x23: ffff0000f01a7cd8 x22: ffff0000fafde810
[ 15.710940] x21: ffff0000f01a7c80 x20: ffff0000f0c3c180
[ 15.721148] x19: ffff0000ff7f1618 x18: 0000000000000010
[ 15.731289] x17: 0000000000000000 x16: 0000000000000000
[ 15.741375] x15: 0000000000aaaaaa x14: 0000000000000020
[ 15.751399] x13: 00000000ffffffff x12: 0000000000000020
[ 15.761363] x11: 0000000000000028 x10: 0101010101010101
[ 15.771279] x9 : 0000000000000004 x8 : 7f7f7f7f7f7f7f7f
[ 15.781148] x7 : 646bff6171606b2b x6 : 0000000000806d65
[ 15.790981] x5 : ffff0000ff7f8360 x4 : 0000000000000000
[ 15.800767] x3 : 0000000000000004 x2 : 0000000000000001
[ 15.810501] x1 : 0000000000000005 x0 : 0000000000000000
[ 15.820171] Call trace:
[ 15.826944] mtk_mdp_probe+0x134/0x3a8 [mtk_mdp]
[ 15.835908] platform_drv_probe+0x54/0xa8
[ 15.844247] really_probe+0xe4/0x3b0
[ 15.852104] driver_probe_device+0x58/0xb8
[ 15.860457] device_driver_attach+0x74/0x80
[ 15.868854] __driver_attach+0x58/0xe0
[ 15.876770] bus_for_each_dev+0x70/0xc0
[ 15.884726] driver_attach+0x24/0x30
[ 15.892374] bus_add_driver+0x14c/0x1f0
[ 15.900295] driver_register+0x64/0x120
[ 15.908168] __platform_driver_register+0x48/0x58
[ 15.916864] mtk_mdp_driver_init+0x20/0x1000 [mtk_mdp]
[ 15.925943] do_one_initcall+0x54/0x1b4
[ 15.933662] do_init_module+0x54/0x200
[ 15.941246] load_module+0x1cf8/0x22d0
[ 15.948798] __do_sys_finit_module+0xd8/0xf0
[ 15.956829] __arm64_sys_finit_module+0x20/0x30
[ 15.965082] el0_svc_common.constprop.0+0x6c/0x168
[ 15.973527] do_el0_svc+0x24/0x90
[ 15.980403] el0_sync_handler+0x90/0x198
[ 15.987867] el0_sync+0x158/0x180
[ 15.994653] Code: 9400014b 2a0003fc 35000920 f9400280 (f9000417)
[ 16.004299] ---[ end trace 76fee0203f9898e5 ]---
Fixes: 86698b9505bbc ("media: mtk-mdp: convert mtk_mdp_dev.comp array to list")
Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
---
drivers/media/platform/mtk-mdp/mtk_mdp_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/mtk-mdp/mtk_mdp_core.c b/drivers/media/platform/mtk-mdp/mtk_mdp_core.c
index f96c8b3bf861..976aa1f4829b 100644
--- a/drivers/media/platform/mtk-mdp/mtk_mdp_core.c
+++ b/drivers/media/platform/mtk-mdp/mtk_mdp_core.c
@@ -94,7 +94,7 @@ static void mtk_mdp_reset_handler(void *priv)
void mtk_mdp_register_component(struct mtk_mdp_dev *mdp,
struct mtk_mdp_comp *comp)
{
- list_add(&mdp->comp_list, &comp->node);
+ list_add(&comp->node, &mdp->comp_list);
}
void mtk_mdp_unregister_component(struct mtk_mdp_dev *mdp,
--
2.17.1
_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek
next reply other threads:[~2020-08-28 13:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-28 13:55 Dafna Hirschfeld [this message]
2020-08-28 13:55 ` [PATCH] media: mtk-mdp: Fix Null pointer dereference when calling list_add Dafna Hirschfeld
2020-08-28 17:26 ` Matthias Brugger
2020-08-28 17:26 ` Matthias Brugger
2020-09-04 7:59 ` Enric Balletbo i Serra
2020-09-04 7:59 ` Enric Balletbo i Serra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200828135541.8282-1-dafna.hirschfeld@collabora.com \
--to=dafna.hirschfeld@collabora.com \
--cc=dafna3@gmail.com \
--cc=enric.balletbo@collabora.com \
--cc=hverkuil@xs4all.nl \
--cc=kernel@collabora.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=matthias.bgg@gmail.com \
--cc=mchehab@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.