From: sashiko-bot@kernel.org
To: "Loic Poulain" <loic.poulain@oss.qualcomm.com>
Cc: robh@kernel.org, devicetree@vger.kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v4 2/7] media: qcom: camss: Add camss-params helper
Date: Fri, 10 Jul 2026 09:17:56 +0000 [thread overview]
Message-ID: <20260710091757.6701F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260710-camss-isp-ope-v4-2-51207a0319d8@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
New issues:
- [High] The result of `vb2_plane_vaddr()` is used without being checked for NULL, allowing unprivileged userspace to trigger a kernel crash via an unmapped or invalid buffer.
- [High] `camss_isp_params_apply` introduces a Double-Fetch (TOCTOU) vulnerability by re-reading size fields from a user-shared parameter buffer after validation, allowing malicious userspace to cause out-of-bounds reads or infinite kernel loops.
- [Low] The patch introduces a new file that relies on a non-existent UAPI header `<uapi/linux/camss-config.h>` and an undefined constant `CAMSS_PARAMS_MAX_PAYLOAD`, breaking the kernel build.
Pre-existing issues:
- [High] Preexisting vulnerability in core `v4l2_isp_params_validate_buffer` allows bypassing size validation via double-fetching `buffer->data_size`.
--
--- Patch [2]: [PATCH v4 2/7] media: qcom: camss: Add camss-params helper ---
commit e5eb27065c51794fadaae391d80e83b70481fa0d
Author: Loic Poulain <loic.poulain@oss.qualcomm.com>
media: qcom: camss: Add camss-params helper
Add V4L2 ISP parameter buffer validation helpers for CAMSS ISP drivers.
Provides buffer size validation and per-block type validation for the
extensible V4L2 ISP parameters buffer format.
> diff --git a/drivers/media/platform/qcom/camss/camss-params.c b/drivers/media/platform/qcom/camss/camss-params.c
> new file mode 100644
> index 0000000000000..ebb75a191d375
> --- /dev/null
> +++ b/drivers/media/platform/qcom/camss/camss-params.c
> @@ -0,0 +1,67 @@
[ ... ]
> +int camss_isp_params_apply(struct device *dev,
> + struct vb2_buffer *vb,
> + const struct v4l2_isp_params_block_type_info *type_info,
> + const camss_isp_params_handler_fn *handlers,
> + unsigned int num_handlers,
> + void *priv)
> +{
> + const struct v4l2_isp_params_buffer *buf;
> + unsigned int remaining;
> + unsigned int offset = 0;
> + int ret;
> +
> + ret = v4l2_isp_params_validate_buffer_size(dev, vb,
> + v4l2_isp_params_buffer_size(CAMSS_PARAMS_MAX_PAYLOAD));
[Severity: Low]
Where is CAMSS_PARAMS_MAX_PAYLOAD defined? The kernel build seems to fail
because this constant is undefined.
> + if (ret)
> + return ret;
> +
> + buf = vb2_plane_vaddr(vb, 0);
> +
> + ret = v4l2_isp_params_validate_buffer(dev, vb, buf, type_info, num_handlers);
[Severity: High]
Can this result in a NULL pointer dereference?
If an unprivileged userspace application queues a V4L2 buffer lacking a
virtual address mapping, vb2_plane_vaddr() will return NULL. The NULL
pointer buf is then directly passed to v4l2_isp_params_validate_buffer(),
which dereferences it.
> + if (ret)
> + return ret;
> +
> + dev_dbg(dev, "params: version=%u data_size=%u\n", buf->version, buf->data_size);
> +
> + remaining = buf->data_size;
> +
> + while (remaining >= sizeof(struct v4l2_isp_params_block_header)) {
> + const union camss_isp_params_block *block =
> + (const union camss_isp_params_block *)&buf->data[offset];
> + u16 type = block->header.type;
> + u32 bsize = block->header.size;
[Severity: High]
Could this be susceptible to a double-fetch race condition?
The function validates the V4L2 parameter buffer, but then iteratively
parses it while re-fetching block->header.size from shared user memory.
If a malicious userspace thread concurrently modifies block->header.size to
0 after validation, bsize becomes 0. This means offset and remaining do not
change, which would result in an infinite kernel loop.
> +
> + if (type < num_handlers && handlers[type])
> + handlers[type](priv, block);
> + else
> + dev_dbg(dev, "params: no handler for block type %u\n", type);
> +
> + offset += bsize;
> + remaining -= bsize;
> + }
[ ... ]
> diff --git a/drivers/media/platform/qcom/camss/camss-params.h b/drivers/media/platform/qcom/camss/camss-params.h
> new file mode 100644
> index 0000000000000..058e3f158b42d
> --- /dev/null
> +++ b/drivers/media/platform/qcom/camss/camss-params.h
> @@ -0,0 +1,62 @@
[ ... ]
> +#ifndef CAMSS_PARAMS_H
> +#define CAMSS_PARAMS_H
> +
> +#include <linux/types.h>
> +#include <media/v4l2-isp.h>
> +#include <uapi/linux/camss-config.h>
[Severity: Low]
Is this header correct? It appears that <uapi/linux/camss-config.h> does
not exist in the tree.
[ ... ]
While reviewing this patch, I noticed a related issue in
v4l2_isp_params_validate_buffer() in drivers/media/v4l2-core/v4l2-isp.c:
> /* Validate the size reported in the header */
> buffer_size = header_size + buffer->data_size;
> if (buffer_size != payload_size) {
> dev_dbg(dev, "Data size %zu and payload size %zu are different\n",
> buffer_size, payload_size);
> return -EINVAL;
> }
>
> /* Walk the list of ISP configuration blocks and validate them. */
> buffer_size = buffer->data_size;
[Severity: High]
This is a pre-existing issue, but does this core function allow a bounds
check bypass?
The buffer->data_size field is fetched from shared user memory to validate
it fits in the payload, and then fetched a second time to initialize the
parsing loop bounds.
Can a userspace program concurrently modify buffer->data_size to a large
invalid size between the two fetches, bypassing the bounds check and
causing the block parser to read out of bounds?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260710-camss-isp-ope-v4-0-51207a0319d8@oss.qualcomm.com?part=2
next prev parent reply other threads:[~2026-07-10 9:17 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-10 9:04 [PATCH v4 0/7] media: qcom: camss: CAMSS Offline Processing Engine support Loic Poulain
2026-07-10 9:04 ` [PATCH v4 1/7] media: qcom: camss: Add camss-pipeline helper Loic Poulain
2026-07-10 9:20 ` sashiko-bot
2026-07-10 9:04 ` [PATCH v4 2/7] media: qcom: camss: Add camss-params helper Loic Poulain
2026-07-10 9:17 ` sashiko-bot [this message]
2026-07-10 9:04 ` [PATCH v4 3/7] media: qcom: camss: Add V4L2 meta format for CAMSS ISP parameters Loic Poulain
2026-07-10 9:11 ` sashiko-bot
2026-07-10 9:04 ` [PATCH v4 4/7] dt-bindings: media: qcom: Add CAMSS Offline Processing Engine (OPE) Loic Poulain
2026-07-10 10:20 ` Bryan O'Donoghue
2026-07-10 10:38 ` Loic Poulain
2026-07-10 10:44 ` Bryan O'Donoghue
2026-07-10 9:04 ` [PATCH v4 5/7] media: uapi: Add CAMSS ISP configuration definition Loic Poulain
2026-07-10 9:21 ` sashiko-bot
2026-07-10 21:41 ` Bryan O'Donoghue
2026-07-10 9:04 ` [PATCH v4 6/7] media: qcom: camss: Add CAMSS Offline Processing Engine driver Loic Poulain
2026-07-10 9:24 ` sashiko-bot
2026-07-10 9:04 ` [PATCH v4 7/7] arm64: dts: qcom: agatti: Add OPE node Loic Poulain
2026-07-10 9:35 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260710091757.6701F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=loic.poulain@oss.qualcomm.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox