Message ID | 20230705213010.390849-2-hdegoede@redhat.com (mailing list archive) |
---|---|
State | Accepted |
Delegated to: | Sakari Ailus |
Headers |
Received: from vger.kernel.org ([23.128.96.18]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from <linux-media-owner@vger.kernel.org>) id 1qHA5o-00CODK-8W; Wed, 05 Jul 2023 21:31:20 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231514AbjGEVbR (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Wed, 5 Jul 2023 17:31:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37076 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231482AbjGEVbO (ORCPT <rfc822;linux-media@vger.kernel.org>); Wed, 5 Jul 2023 17:31:14 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EDF8019B2 for <linux-media@vger.kernel.org>; Wed, 5 Jul 2023 14:30:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1688592627; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=y+8vuyD5M67TFv6LoooeJoTqBLl6qlPDtYuFzoWTY50=; b=Mn64cAE0k1IhroZCk5XSJLIhVSFPAXzwbI7UjvTRtD/NrZyRBryr+OuiC2ThGjuC0ekvT5 1cUYvbu0UbjqNRF8RQj7YSL9dYKM/lCSex5KWqXCYis0Ybp7xLN7d/KiRlnDpvzNPUi1xJ 3z8Q7On3ytUoTG2R2wAgh4bFOi7hUsU= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-16-_DJ3MYxtNmeSCz-Q21B9yQ-1; Wed, 05 Jul 2023 17:30:23 -0400 X-MC-Unique: _DJ3MYxtNmeSCz-Q21B9yQ-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 31E3E1C4FD83; Wed, 5 Jul 2023 21:30:23 +0000 (UTC) Received: from localhost.localdomain (unknown [10.39.192.7]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3F67940C2063; Wed, 5 Jul 2023 21:30:21 +0000 (UTC) From: Hans de Goede <hdegoede@redhat.com> To: "Rafael J . Wysocki" <rafael@kernel.org>, Sakari Ailus <sakari.ailus@linux.intel.com>, Laurent Pinchart <laurent.pinchart@ideasonboard.com>, Daniel Scally <dan.scally@ideasonboard.com> Cc: Hans de Goede <hdegoede@redhat.com>, linux-acpi@vger.kernel.org, Mauro Carvalho Chehab <mchehab@kernel.org>, Andy Shevchenko <andy@kernel.org>, Kate Hsuan <hpa@redhat.com>, Hao Yao <hao.yao@intel.com>, Bingbu Cao <bingbu.cao@intel.com>, linux-media@vger.kernel.org, =?utf-8?q?Fabian_W=C3=BCthrich?= <me@fabwu.ch> Subject: [PATCH v3 01/18] media: ipu-bridge: Fix null pointer deref on SSDB/PLD parsing warnings Date: Wed, 5 Jul 2023 23:29:53 +0200 Message-ID: <20230705213010.390849-2-hdegoede@redhat.com> In-Reply-To: <20230705213010.390849-1-hdegoede@redhat.com> References: <20230705213010.390849-1-hdegoede@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-LSpam-Score: -4.8 (----) X-LSpam-Report: No, score=-4.8 required=5.0 tests=BAYES_00=-1.9,DKIMWL_WL_HIGH=0.001,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3 autolearn=ham autolearn_force=no |
Series |
media: ipu-bridge: Shared with atomisp, rework VCM instantiation
|
|
Commit Message
Hans de Goede
July 5, 2023, 9:29 p.m. UTC
When ipu_bridge_parse_rotation() and ipu_bridge_parse_orientation() run
sensor->adev is not set yet.
So if either of the dev_warn() calls about unknown values are hit this
will lead to a NULL pointer deref.
Set sensor->adev earlier, with a borrowed ref to avoid making unrolling
on errors harder, to fix this.
Fixes: 485aa3df0dff ("media: ipu3-cio2: Parse sensor orientation and rotation")
Cc: Fabian Wüthrich <me@fabwu.ch>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
drivers/media/pci/intel/ipu-bridge.c | 5 +++++
1 file changed, 5 insertions(+)
Comments
Hi Hans On 05/07/2023 22:29, Hans de Goede wrote: > When ipu_bridge_parse_rotation() and ipu_bridge_parse_orientation() run > sensor->adev is not set yet. > > So if either of the dev_warn() calls about unknown values are hit this > will lead to a NULL pointer deref. > > Set sensor->adev earlier, with a borrowed ref to avoid making unrolling > on errors harder, to fix this. > > Fixes: 485aa3df0dff ("media: ipu3-cio2: Parse sensor orientation and rotation") > Cc: Fabian Wüthrich <me@fabwu.ch> > Signed-off-by: Hans de Goede <hdegoede@redhat.com> > --- Reviewed-by: Daniel Scally <dan.scally@ideasonboard.com> And same for the corresponding 09/18 > drivers/media/pci/intel/ipu-bridge.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/media/pci/intel/ipu-bridge.c b/drivers/media/pci/intel/ipu-bridge.c > index 62daa8c1f6b1..f0927f80184d 100644 > --- a/drivers/media/pci/intel/ipu-bridge.c > +++ b/drivers/media/pci/intel/ipu-bridge.c > @@ -308,6 +308,11 @@ static int ipu_bridge_connect_sensor(const struct ipu_sensor_config *cfg, > } > > sensor = &bridge->sensors[bridge->n_sensors]; > + /* > + * Borrow our adev ref to the sensor for now, on success > + * acpi_dev_get(adev) is done further below. > + */ > + sensor->adev = adev; > > ret = ipu_bridge_read_acpi_buffer(adev, "SSDB", > &sensor->ssdb,
diff --git a/drivers/media/pci/intel/ipu-bridge.c b/drivers/media/pci/intel/ipu-bridge.c index 62daa8c1f6b1..f0927f80184d 100644 --- a/drivers/media/pci/intel/ipu-bridge.c +++ b/drivers/media/pci/intel/ipu-bridge.c @@ -308,6 +308,11 @@ static int ipu_bridge_connect_sensor(const struct ipu_sensor_config *cfg, } sensor = &bridge->sensors[bridge->n_sensors]; + /* + * Borrow our adev ref to the sensor for now, on success + * acpi_dev_get(adev) is done further below. + */ + sensor->adev = adev; ret = ipu_bridge_read_acpi_buffer(adev, "SSDB", &sensor->ssdb,