From: sashiko-bot@kernel.org
To: "Loic Poulain" <loic.poulain@oss.qualcomm.com>
Cc: robh@kernel.org, devicetree@vger.kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v4 2/7] media: qcom: camss: Add camss-params helper
Date: Fri, 10 Jul 2026 09:17:56 +0000 [thread overview]
Message-ID: <20260710091757.6701F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260710-camss-isp-ope-v4-2-51207a0319d8@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
New issues:
- [High] The result of `vb2_plane_vaddr()` is used without being checked for NULL, allowing unprivileged userspace to trigger a kernel crash via an unmapped or invalid buffer.
- [High] `camss_isp_params_apply` introduces a Double-Fetch (TOCTOU) vulnerability by re-reading size fields from a user-shared parameter buffer after validation, allowing malicious userspace to cause out-of-bounds reads or infinite kernel loops.
- [Low] The patch introduces a new file that relies on a non-existent UAPI header `<uapi/linux/camss-config.h>` and an undefined constant `CAMSS_PARAMS_MAX_PAYLOAD`, breaking the kernel build.
Pre-existing issues:
- [High] Preexisting vulnerability in core `v4l2_isp_params_validate_buffer` allows bypassing size validation via double-fetching `buffer->data_size`.
--
--- Patch [2]: [PATCH v4 2/7] media: qcom: camss: Add camss-params helper ---
commit e5eb27065c51794fadaae391d80e83b70481fa0d
Author: Loic Poulain <loic.poulain@oss.qualcomm.com>
media: qcom: camss: Add camss-params helper
Add V4L2 ISP parameter buffer validation helpers for CAMSS ISP drivers.
Provides buffer size validation and per-block type validation for the
extensible V4L2 ISP parameters buffer format.
> diff --git a/drivers/media/platform/qcom/camss/camss-params.c b/drivers/media/platform/qcom/camss/camss-params.c
> new file mode 100644
> index 0000000000000..ebb75a191d375
> --- /dev/null
> +++ b/drivers/media/platform/qcom/camss/camss-params.c
> @@ -0,0 +1,67 @@
[ ... ]
> +int camss_isp_params_apply(struct device *dev,
> + struct vb2_buffer *vb,
> + const struct v4l2_isp_params_block_type_info *type_info,
> + const camss_isp_params_handler_fn *handlers,
> + unsigned int num_handlers,
> + void *priv)
> +{
> + const struct v4l2_isp_params_buffer *buf;
> + unsigned int remaining;
> + unsigned int offset = 0;
> + int ret;
> +
> + ret = v4l2_isp_params_validate_buffer_size(dev, vb,
> + v4l2_isp_params_buffer_size(CAMSS_PARAMS_MAX_PAYLOAD));
[Severity: Low]
Where is CAMSS_PARAMS_MAX_PAYLOAD defined? The kernel build seems to fail
because this constant is undefined.
> + if (ret)
> + return ret;
> +
> + buf = vb2_plane_vaddr(vb, 0);
> +
> + ret = v4l2_isp_params_validate_buffer(dev, vb, buf, type_info, num_handlers);
[Severity: High]
Can this result in a NULL pointer dereference?
If an unprivileged userspace application queues a V4L2 buffer lacking a
virtual address mapping, vb2_plane_vaddr() will return NULL. The NULL
pointer buf is then directly passed to v4l2_isp_params_validate_buffer(),
which dereferences it.
> + if (ret)
> + return ret;
> +
> + dev_dbg(dev, "params: version=%u data_size=%u\n", buf->version, buf->data_size);
> +
> + remaining = buf->data_size;
> +
> + while (remaining >= sizeof(struct v4l2_isp_params_block_header)) {
> + const union camss_isp_params_block *block =
> + (const union camss_isp_params_block *)&buf->data[offset];
> + u16 type = block->header.type;
> + u32 bsize = block->header.size;
[Severity: High]
Could this be susceptible to a double-fetch race condition?
The function validates the V4L2 parameter buffer, but then iteratively
parses it while re-fetching block->header.size from shared user memory.
If a malicious userspace thread concurrently modifies block->header.size to
0 after validation, bsize becomes 0. This means offset and remaining do not
change, which would result in an infinite kernel loop.
> +
> + if (type < num_handlers && handlers[type])
> + handlers[type](priv, block);
> + else
> + dev_dbg(dev, "params: no handler for block type %u\n", type);
> +
> + offset += bsize;
> + remaining -= bsize;
> + }
[ ... ]
> diff --git a/drivers/media/platform/qcom/camss/camss-params.h b/drivers/media/platform/qcom/camss/camss-params.h
> new file mode 100644
> index 0000000000000..058e3f158b42d
> --- /dev/null
> +++ b/drivers/media/platform/qcom/camss/camss-params.h
> @@ -0,0 +1,62 @@
[ ... ]
> +#ifndef CAMSS_PARAMS_H
> +#define CAMSS_PARAMS_H
> +
> +#include <linux/types.h>
> +#include <media/v4l2-isp.h>
> +#include <uapi/linux/camss-config.h>
[Severity: Low]
Is this header correct? It appears that <uapi/linux/camss-config.h> does
not exist in the tree.
[ ... ]
While reviewing this patch, I noticed a related issue in
v4l2_isp_params_validate_buffer() in drivers/media/v4l2-core/v4l2-isp.c:
> /* Validate the size reported in the header */
> buffer_size = header_size + buffer->data_size;
> if (buffer_size != payload_size) {
> dev_dbg(dev, "Data size %zu and payload size %zu are different\n",
> buffer_size, payload_size);
> return -EINVAL;
> }
>
> /* Walk the list of ISP configuration blocks and validate them. */
> buffer_size = buffer->data_size;
[Severity: High]
This is a pre-existing issue, but does this core function allow a bounds
check bypass?
The buffer->data_size field is fetched from shared user memory to validate
it fits in the payload, and then fetched a second time to initialize the
parsing loop bounds.
Can a userspace program concurrently modify buffer->data_size to a large
invalid size between the two fetches, bypassing the bounds check and
causing the block parser to read out of bounds?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260710-camss-isp-ope-v4-0-51207a0319d8@oss.qualcomm.com?part=2
next prev parent reply other threads:[~2026-07-10 9:17 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-10 9:04 [PATCH v4 0/7] media: qcom: camss: CAMSS Offline Processing Engine support Loic Poulain
2026-07-10 9:04 ` [PATCH v4 1/7] media: qcom: camss: Add camss-pipeline helper Loic Poulain
2026-07-10 9:20 ` sashiko-bot
2026-07-10 9:04 ` [PATCH v4 2/7] media: qcom: camss: Add camss-params helper Loic Poulain
2026-07-10 9:17 ` sashiko-bot [this message]
2026-07-10 9:04 ` [PATCH v4 3/7] media: qcom: camss: Add V4L2 meta format for CAMSS ISP parameters Loic Poulain
2026-07-10 9:11 ` sashiko-bot
2026-07-10 9:04 ` [PATCH v4 4/7] dt-bindings: media: qcom: Add CAMSS Offline Processing Engine (OPE) Loic Poulain
2026-07-10 10:20 ` Bryan O'Donoghue
2026-07-10 10:38 ` Loic Poulain
2026-07-10 10:44 ` Bryan O'Donoghue
2026-07-10 9:04 ` [PATCH v4 5/7] media: uapi: Add CAMSS ISP configuration definition Loic Poulain
2026-07-10 9:21 ` sashiko-bot
2026-07-10 21:41 ` Bryan O'Donoghue
2026-07-10 9:04 ` [PATCH v4 6/7] media: qcom: camss: Add CAMSS Offline Processing Engine driver Loic Poulain
2026-07-10 9:24 ` sashiko-bot
2026-07-13 13:05 ` Bryan O'Donoghue
2026-07-10 9:04 ` [PATCH v4 7/7] arm64: dts: qcom: agatti: Add OPE node Loic Poulain
2026-07-10 9:35 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260710091757.6701F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=loic.poulain@oss.qualcomm.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.