Message ID | 20210113090027.234403-1-tomi.valkeinen@ideasonboard.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | media: ti-vpe: cal: fix write to unallocated memory | expand |
On 13/01/2021 11:00, Tomi Valkeinen wrote: > The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be > of size cal_v4l2_async_subdev, otherwise access to > cal_v4l2_async_subdev->phy will go to unallocated memory. > > Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier") > Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com> Ah, I forgot to add: Cc: stable@vger.kernel.org # 5.9+ > --- > drivers/media/platform/ti-vpe/cal.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c > index 59a0266b1f39..2eef245c31a1 100644 > --- a/drivers/media/platform/ti-vpe/cal.c > +++ b/drivers/media/platform/ti-vpe/cal.c > @@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data) > */ > > struct cal_v4l2_async_subdev { > - struct v4l2_async_subdev asd; > + struct v4l2_async_subdev asd; /* Must be first */ > struct cal_camerarx *phy; > }; > > @@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal) > fwnode = of_fwnode_handle(phy->sensor_node); > asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier, > fwnode, > - sizeof(*asd)); > + sizeof(*casd)); > if (IS_ERR(asd)) { > phy_err(phy, "Failed to add subdev to notifier\n"); > ret = PTR_ERR(asd); >
On Wed, 13 Jan 2021 at 06:08, Tomi Valkeinen <tomi.valkeinen@ideasonboard.com> wrote: > > On 13/01/2021 11:00, Tomi Valkeinen wrote: > > The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be > > of size cal_v4l2_async_subdev, otherwise access to > > cal_v4l2_async_subdev->phy will go to unallocated memory. > > > > Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier") > > Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com> > > Ah, I forgot to add: > > Cc: stable@vger.kernel.org # 5.9+ > Nice catch. I missed users of v4l2_async_notifier_add_fwnode_subdev in my recent cleanup series. Reviewed-by: Ezequiel Garcia <ezequiel@collabora.com> Thanks, Ezequiel > > --- > > drivers/media/platform/ti-vpe/cal.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c > > index 59a0266b1f39..2eef245c31a1 100644 > > --- a/drivers/media/platform/ti-vpe/cal.c > > +++ b/drivers/media/platform/ti-vpe/cal.c > > @@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data) > > */ > > > > struct cal_v4l2_async_subdev { > > - struct v4l2_async_subdev asd; > > + struct v4l2_async_subdev asd; /* Must be first */ > > struct cal_camerarx *phy; > > }; > > > > @@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal) > > fwnode = of_fwnode_handle(phy->sensor_node); > > asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier, > > fwnode, > > - sizeof(*asd)); > > + sizeof(*casd)); > > if (IS_ERR(asd)) { > > phy_err(phy, "Failed to add subdev to notifier\n"); > > ret = PTR_ERR(asd); > >
Hi Tomi, Thank you for the patch. On Wed, Jan 13, 2021 at 11:00:27AM +0200, Tomi Valkeinen wrote: > The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be > of size cal_v4l2_async_subdev, otherwise access to > cal_v4l2_async_subdev->phy will go to unallocated memory. > > Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier") > Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com> > --- > drivers/media/platform/ti-vpe/cal.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c > index 59a0266b1f39..2eef245c31a1 100644 > --- a/drivers/media/platform/ti-vpe/cal.c > +++ b/drivers/media/platform/ti-vpe/cal.c > @@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data) > */ > > struct cal_v4l2_async_subdev { > - struct v4l2_async_subdev asd; > + struct v4l2_async_subdev asd; /* Must be first */ > struct cal_camerarx *phy; > }; > > @@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal) > fwnode = of_fwnode_handle(phy->sensor_node); > asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier, > fwnode, > - sizeof(*asd)); > + sizeof(*casd)); Ouch :-S Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > if (IS_ERR(asd)) { > phy_err(phy, "Failed to add subdev to notifier\n"); > ret = PTR_ERR(asd);
diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c index 59a0266b1f39..2eef245c31a1 100644 --- a/drivers/media/platform/ti-vpe/cal.c +++ b/drivers/media/platform/ti-vpe/cal.c @@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data) */ struct cal_v4l2_async_subdev { - struct v4l2_async_subdev asd; + struct v4l2_async_subdev asd; /* Must be first */ struct cal_camerarx *phy; }; @@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal) fwnode = of_fwnode_handle(phy->sensor_node); asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier, fwnode, - sizeof(*asd)); + sizeof(*casd)); if (IS_ERR(asd)) { phy_err(phy, "Failed to add subdev to notifier\n"); ret = PTR_ERR(asd);
The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be of size cal_v4l2_async_subdev, otherwise access to cal_v4l2_async_subdev->phy will go to unallocated memory. Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier") Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com> --- drivers/media/platform/ti-vpe/cal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)