From: Guoniu Zhou <guoniu.zhou@oss.nxp.com>
To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Frank Li <Frank.Li@nxp.com>,
Sascha Hauer <s.hauer@pengutronix.de>,
Pengutronix Kernel Team <kernel@pengutronix.de>,
Fabio Estevam <festevam@gmail.com>,
Christian Hemp <c.hemp@phytec.de>,
Stefan Riedmueller <s.riedmueller@phytec.de>,
Jacopo Mondi <jacopo@jmondi.org>
Cc: Dong Aisheng <aisheng.dong@nxp.com>,
Guoniu Zhou <guoniu.zhou@nxp.com>,
linux-media@vger.kernel.org, imx@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
Guoniu Zhou <guoniu.zhou@oss.nxp.com>,
stable@vger.kernel.org
Subject: [PATCH 1/5] media: nxp: imx8-isi: Fix stream ID validation bypass in crossbar routing
Date: Mon, 29 Jun 2026 15:44:55 +0800 [thread overview]
Message-ID: <20260629-isi-v1-1-deebfdb1b07b@oss.nxp.com> (raw)
In-Reply-To: <20260629-isi-v1-0-deebfdb1b07b@oss.nxp.com>
The crossbar routing validation has a critical bug where it validates
the wrong routing table, allowing userspace to bypass validation entirely.
The __mxc_isi_crossbar_set_routing() function is called to validate and
apply a new routing table from userspace. However, the validation loop
iterates over state->routing (the currently active routing table) instead
of the routing parameter (the new table being validated):
for_each_active_route(&state->routing, route) {
This means userspace can submit any invalid routing configuration and it
will pass validation as long as the currently active routing is valid.
This is a security issue as it allows userspace to configure routes that
violate hardware constraints, potentially causing undefined hardware
behavior.
Fix by validating the routing table that will actually be applied:
for_each_active_route(routing, route) {
Additionally, add validation to enforce hardware constraints that were
previously missing:
- SOURCE stream must be 0 (ISI pipes are hardcoded to stream 0)
- SINK stream must be less than the ISI channel count
- Memory input can only route to the first pipeline (existing check)
Fixes: cf21f328fcaf ("media: nxp: Add i.MX8 ISI driver")
Cc: stable@vger.kernel.org
Signed-off-by: Guoniu Zhou <guoniu.zhou@oss.nxp.com>
---
.../platform/nxp/imx8-isi/imx8-isi-crossbar.c | 24 ++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/nxp/imx8-isi/imx8-isi-crossbar.c b/drivers/media/platform/nxp/imx8-isi/imx8-isi-crossbar.c
index c580c831972e..29f14d30dbbb 100644
--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-crossbar.c
+++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-crossbar.c
@@ -106,8 +106,28 @@ static int __mxc_isi_crossbar_set_routing(struct v4l2_subdev *sd,
if (ret)
return ret;
- /* The memory input can be routed to the first pipeline only. */
- for_each_active_route(&state->routing, route) {
+ /*
+ * Validate routes against hardware constraints:
+ * - SOURCE stream must be 0 (pipes are hardcoded to stream 0)
+ * - SINK stream must be < ISI channel count
+ * - Memory input can only route to the first pipeline
+ */
+ for_each_active_route(routing, route) {
+ if (route->source_stream != 0) {
+ dev_dbg(xbar->isi->dev,
+ "route to pipe %u must use source_stream=0, got %u\n",
+ route->source_pad - xbar->num_sinks,
+ route->source_stream);
+ return -ENXIO;
+ }
+
+ if (route->sink_stream >= xbar->num_sources) {
+ dev_dbg(xbar->isi->dev,
+ "sink_stream %u exceeds hardware limit %u\n",
+ route->sink_stream, xbar->num_sources - 1);
+ return -ENXIO;
+ }
+
if (route->sink_pad == xbar->num_sinks - 1 &&
route->source_pad != xbar->num_sinks) {
dev_dbg(xbar->isi->dev,
--
2.34.1
next prev parent reply other threads:[~2026-06-29 7:42 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 7:44 [PATCH 0/5] imx8-isi: Bug fixes and format support enhancements Guoniu Zhou
2026-06-29 7:44 ` Guoniu Zhou [this message]
2026-06-29 14:33 ` [PATCH 1/5] media: nxp: imx8-isi: Fix stream ID validation bypass in crossbar routing Frank Li
2026-06-29 7:44 ` [PATCH 2/5] media: nxp: imx8-isi: Fix per-stream reference counting for multiplexed streams Guoniu Zhou
2026-06-29 14:55 ` Frank Li
2026-06-29 7:44 ` [PATCH 3/5] media: nxp: imx8-isi: Add 16-bit raw Bayer format support guoniu.zhou
2026-06-29 14:57 ` Frank Li
2026-06-29 7:44 ` [PATCH 4/5] media: nxp: imx8-isi: Correct color map between V4L2 and ISI Guoniu Zhou
2026-06-29 15:08 ` Frank Li
2026-06-29 7:44 ` [PATCH 5/5] media: nxp: imx8-isi: Add additional 32-bit RGB format support Guoniu Zhou
2026-06-29 15:10 ` Frank Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629-isi-v1-1-deebfdb1b07b@oss.nxp.com \
--to=guoniu.zhou@oss.nxp.com \
--cc=Frank.Li@nxp.com \
--cc=aisheng.dong@nxp.com \
--cc=c.hemp@phytec.de \
--cc=festevam@gmail.com \
--cc=guoniu.zhou@nxp.com \
--cc=imx@lists.linux.dev \
--cc=jacopo@jmondi.org \
--cc=kernel@pengutronix.de \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=s.hauer@pengutronix.de \
--cc=s.riedmueller@phytec.de \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox