diff mbox series

media: ti-vpe: cal: fix write to unallocated memory

Message ID 20210113090027.234403-1-tomi.valkeinen@ideasonboard.com (mailing list archive)
State New, archived
Headers show
Series media: ti-vpe: cal: fix write to unallocated memory | expand

Commit Message

Tomi Valkeinen Jan. 13, 2021, 9 a.m. UTC
The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be
of size cal_v4l2_async_subdev, otherwise access to
cal_v4l2_async_subdev->phy will go to unallocated memory.

Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier")
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
---
 drivers/media/platform/ti-vpe/cal.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Tomi Valkeinen Jan. 13, 2021, 9:06 a.m. UTC | #1
On 13/01/2021 11:00, Tomi Valkeinen wrote:
> The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be
> of size cal_v4l2_async_subdev, otherwise access to
> cal_v4l2_async_subdev->phy will go to unallocated memory.
> 
> Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier")
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>

Ah, I forgot to add:

Cc: stable@vger.kernel.org # 5.9+

> ---
>  drivers/media/platform/ti-vpe/cal.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
> index 59a0266b1f39..2eef245c31a1 100644
> --- a/drivers/media/platform/ti-vpe/cal.c
> +++ b/drivers/media/platform/ti-vpe/cal.c
> @@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data)
>   */
>  
>  struct cal_v4l2_async_subdev {
> -	struct v4l2_async_subdev asd;
> +	struct v4l2_async_subdev asd; /* Must be first */
>  	struct cal_camerarx *phy;
>  };
>  
> @@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal)
>  		fwnode = of_fwnode_handle(phy->sensor_node);
>  		asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier,
>  							    fwnode,
> -							    sizeof(*asd));
> +							    sizeof(*casd));
>  		if (IS_ERR(asd)) {
>  			phy_err(phy, "Failed to add subdev to notifier\n");
>  			ret = PTR_ERR(asd);
>
Ezequiel Garcia Jan. 13, 2021, 5:22 p.m. UTC | #2
On Wed, 13 Jan 2021 at 06:08, Tomi Valkeinen
<tomi.valkeinen@ideasonboard.com> wrote:
>
> On 13/01/2021 11:00, Tomi Valkeinen wrote:
> > The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be
> > of size cal_v4l2_async_subdev, otherwise access to
> > cal_v4l2_async_subdev->phy will go to unallocated memory.
> >
> > Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier")
> > Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
>
> Ah, I forgot to add:
>
> Cc: stable@vger.kernel.org # 5.9+
>

Nice catch. I missed users of v4l2_async_notifier_add_fwnode_subdev
in my recent cleanup series.

Reviewed-by: Ezequiel Garcia <ezequiel@collabora.com>

Thanks,
Ezequiel

> > ---
> >  drivers/media/platform/ti-vpe/cal.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
> > index 59a0266b1f39..2eef245c31a1 100644
> > --- a/drivers/media/platform/ti-vpe/cal.c
> > +++ b/drivers/media/platform/ti-vpe/cal.c
> > @@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data)
> >   */
> >
> >  struct cal_v4l2_async_subdev {
> > -     struct v4l2_async_subdev asd;
> > +     struct v4l2_async_subdev asd; /* Must be first */
> >       struct cal_camerarx *phy;
> >  };
> >
> > @@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal)
> >               fwnode = of_fwnode_handle(phy->sensor_node);
> >               asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier,
> >                                                           fwnode,
> > -                                                         sizeof(*asd));
> > +                                                         sizeof(*casd));
> >               if (IS_ERR(asd)) {
> >                       phy_err(phy, "Failed to add subdev to notifier\n");
> >                       ret = PTR_ERR(asd);
> >
Laurent Pinchart Jan. 14, 2021, 2:29 a.m. UTC | #3
Hi Tomi,

Thank you for the patch.

On Wed, Jan 13, 2021 at 11:00:27AM +0200, Tomi Valkeinen wrote:
> The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be
> of size cal_v4l2_async_subdev, otherwise access to
> cal_v4l2_async_subdev->phy will go to unallocated memory.
> 
> Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier")
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
> ---
>  drivers/media/platform/ti-vpe/cal.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
> index 59a0266b1f39..2eef245c31a1 100644
> --- a/drivers/media/platform/ti-vpe/cal.c
> +++ b/drivers/media/platform/ti-vpe/cal.c
> @@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data)
>   */
>  
>  struct cal_v4l2_async_subdev {
> -	struct v4l2_async_subdev asd;
> +	struct v4l2_async_subdev asd; /* Must be first */
>  	struct cal_camerarx *phy;
>  };
>  
> @@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal)
>  		fwnode = of_fwnode_handle(phy->sensor_node);
>  		asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier,
>  							    fwnode,
> -							    sizeof(*asd));
> +							    sizeof(*casd));

Ouch :-S

Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

>  		if (IS_ERR(asd)) {
>  			phy_err(phy, "Failed to add subdev to notifier\n");
>  			ret = PTR_ERR(asd);
diff mbox series

Patch

diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
index 59a0266b1f39..2eef245c31a1 100644
--- a/drivers/media/platform/ti-vpe/cal.c
+++ b/drivers/media/platform/ti-vpe/cal.c
@@ -406,7 +406,7 @@  static irqreturn_t cal_irq(int irq_cal, void *data)
  */
 
 struct cal_v4l2_async_subdev {
-	struct v4l2_async_subdev asd;
+	struct v4l2_async_subdev asd; /* Must be first */
 	struct cal_camerarx *phy;
 };
 
@@ -472,7 +472,7 @@  static int cal_async_notifier_register(struct cal_dev *cal)
 		fwnode = of_fwnode_handle(phy->sensor_node);
 		asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier,
 							    fwnode,
-							    sizeof(*asd));
+							    sizeof(*casd));
 		if (IS_ERR(asd)) {
 			phy_err(phy, "Failed to add subdev to notifier\n");
 			ret = PTR_ERR(asd);