media: qcom: camss: Fix potential crash in cleanup in camss_configure_pd()
Checks
Context |
Check |
Description |
media-ci/HTML_report |
success
|
Link
|
media-ci/report |
success
|
Link
|
media-ci/bisect |
success
|
Link
|
media-ci/doc |
success
|
Link
|
media-ci/build |
success
|
Link
|
media-ci/static-upstream |
success
|
Link
|
media-ci/abi |
success
|
Link
|
media-ci/media-patchstyle |
success
|
Link
|
media-ci/checkpatch |
success
|
Link
|
Commit Message
This function calls dev_pm_domain_detach(camss->genpd, true) in the
cleanup path. But calling detach is only necessary if the attach
succeeded. If it didn't succeed then "camss->genpd" is either an error
pointer or NULL and it leads to a crash.
Fixes: 23aa4f0cd327 ("media: qcom: camss: Move VFE power-domain specifics into vfe.c")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
drivers/media/platform/qcom/camss/camss.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
Comments
Hello Dan,
On 9/10/24 22:55, Dan Carpenter wrote:
> This function calls dev_pm_domain_detach(camss->genpd, true) in the
> cleanup path. But calling detach is only necessary if the attach
> succeeded. If it didn't succeed then "camss->genpd" is either an error
> pointer or NULL and it leads to a crash.
>
> Fixes: 23aa4f0cd327 ("media: qcom: camss: Move VFE power-domain specifics into vfe.c")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> drivers/media/platform/qcom/camss/camss.c | 15 +++++----------
> 1 file changed, 5 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c
> index 1923615f0eea..f4531e7341d4 100644
> --- a/drivers/media/platform/qcom/camss/camss.c
> +++ b/drivers/media/platform/qcom/camss/camss.c
> @@ -2130,10 +2130,8 @@ static int camss_configure_pd(struct camss *camss)
> if (camss->res->pd_name) {
> camss->genpd = dev_pm_domain_attach_by_name(camss->dev,
> camss->res->pd_name);
> - if (IS_ERR(camss->genpd)) {
> - ret = PTR_ERR(camss->genpd);
> - goto fail_pm;
> - }
> + if (IS_ERR(camss->genpd))
> + return PTR_ERR(camss->genpd);
> }
>
> if (!camss->genpd) {
> @@ -2141,13 +2141,10 @@ static int camss_configure_pd(struct camss *camss)
> */
> camss->genpd = dev_pm_domain_attach_by_id(camss->dev,
> camss->genpd_num - 1);
> - }
> - if (IS_ERR_OR_NULL(camss->genpd)) {
> + if (IS_ERR(camss->genpd))
> + return PTR_ERR(camss->genpd);
> if (!camss->genpd)
> - ret = -ENODEV;
> - else
> - ret = PTR_ERR(camss->genpd);
> - goto fail_pm;
> + return -ENODEV;
> }
> camss->genpd_link = device_link_add(camss->dev, camss->genpd,
> DL_FLAG_STATELESS | DL_FLAG_PM_RUNTIME |
the problem has been already addressed, it is a real crash, not just
a potential one.
Please see https://lore.kernel.org/all/20240813210342.1765944-1-vladimir.zapolskiy@linaro.org/
--
Best wishes,
Vladimir
@@ -2130,10 +2130,8 @@ static int camss_configure_pd(struct camss *camss)
if (camss->res->pd_name) {
camss->genpd = dev_pm_domain_attach_by_name(camss->dev,
camss->res->pd_name);
- if (IS_ERR(camss->genpd)) {
- ret = PTR_ERR(camss->genpd);
- goto fail_pm;
- }
+ if (IS_ERR(camss->genpd))
+ return PTR_ERR(camss->genpd);
}
if (!camss->genpd) {
@@ -2141,13 +2141,10 @@ static int camss_configure_pd(struct camss *camss)
*/
camss->genpd = dev_pm_domain_attach_by_id(camss->dev,
camss->genpd_num - 1);
- }
- if (IS_ERR_OR_NULL(camss->genpd)) {
+ if (IS_ERR(camss->genpd))
+ return PTR_ERR(camss->genpd);
if (!camss->genpd)
- ret = -ENODEV;
- else
- ret = PTR_ERR(camss->genpd);
- goto fail_pm;
+ return -ENODEV;
}
camss->genpd_link = device_link_add(camss->dev, camss->genpd,
DL_FLAG_STATELESS | DL_FLAG_PM_RUNTIME |