[Patch 07/16] media: ti-vpe: vpe: fix a v4l2-compliance failure causing a kernel panic

public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed

From: Benoit Parrot <bparrot@ti.com>
To: Hans Verkuil <hverkuil@xs4all.nl>
Cc: <linux-media@vger.kernel.org>, <devicetree@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>, Benoit Parrot <bparrot@ti.com>
Subject: [Patch 07/16] media: ti-vpe: vpe: fix a v4l2-compliance failure causing a kernel panic
Date: Fri, 27 Sep 2019 13:36:41 -0500	[thread overview]
Message-ID: <20190927183650.31345-8-bparrot@ti.com> (raw)
In-Reply-To: <20190927183650.31345-1-bparrot@ti.com>

v4l2-compliance fails with this message:

   warn: v4l2-test-formats.cpp(717): \
   	TRY_FMT cannot handle an invalid pixelformat.
   test VIDIOC_TRY_FMT: FAIL

This causes the following kernel panic:

Unable to handle kernel paging request at virtual address 56595561
pgd = ecd80e00
*pgd=00000000
Internal error: Oops: 205 [#1] PREEMPT SMP ARM
...
CPU: 0 PID: 930 Comm: v4l2-compliance Not tainted \
	4.14.62-01715-gc8cd67f49a19 #1
Hardware name: Generic DRA72X (Flattened Device Tree)
task: ece44d80 task.stack: ecc6e000
PC is at __vpe_try_fmt+0x18c/0x2a8 [ti_vpe]
LR is at 0x8

Because the driver fails to properly check the 'num_planes' values for
proper ranges it ends up accessing out of bound data causing the kernel
panic.

Since this driver only handle single or dual plane pixel format, make
sure the provided value does not exceed 2 planes.

Signed-off-by: Benoit Parrot <bparrot@ti.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
---
 drivers/media/platform/ti-vpe/vpe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c
index bbbf11174e16..1278d457f753 100644
--- a/drivers/media/platform/ti-vpe/vpe.c
+++ b/drivers/media/platform/ti-vpe/vpe.c
@@ -1650,7 +1650,7 @@ static int __vpe_try_fmt(struct vpe_ctx *ctx, struct v4l2_format *f,
 			      &pix->height, MIN_H, MAX_H, H_ALIGN,
 			      S_ALIGN);
 
-	if (!pix->num_planes)
+	if (!pix->num_planes || pix->num_planes > 2)
 		pix->num_planes = fmt->coplanar ? 2 : 1;
 	else if (pix->num_planes > 1 && !fmt->coplanar)
 		pix->num_planes = 1;
-- 
2.17.1

next prev parent reply	other threads:[~2019-09-27 18:35 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-27 18:36 [Patch 00/16] media: vpe: maintenance Benoit Parrot
2019-09-27 18:36 ` [Patch 01/16] media: ti-vpe: vpe: Fix Motion Vector vpdma stride Benoit Parrot
2019-09-27 18:36 ` [Patch 02/16] media: ti-vpe: vpe: Add missing null pointer checks Benoit Parrot
2019-09-29  0:08   ` Austin Kim
2019-09-30 15:58     ` Benoit Parrot
2019-10-03 12:37       ` Austin Kim
2019-09-27 18:36 ` [Patch 03/16] media: ti-vpe: vpe: Remove unnecessary use of container_of Benoit Parrot
2019-09-27 18:36 ` [Patch 04/16] media: ti-vpe: Add support for SEQ_BT Benoit Parrot
2019-09-27 18:36 ` [Patch 05/16] media: ti-vpe: Add support for NV21 format Benoit Parrot
2019-09-27 18:36 ` [Patch 06/16] media: ti-vpe: Set MAX height supported to 2048 pixels Benoit Parrot
2019-09-27 18:36 ` Benoit Parrot [this message]
2019-09-30  8:35   ` [Patch 07/16] media: ti-vpe: vpe: fix a v4l2-compliance failure causing a kernel panic Hans Verkuil
2019-09-30 16:04     ` Benoit Parrot
2019-09-27 18:36 ` [Patch 08/16] media: ti-vpe: vpe: fix a v4l2-compliance warning about invalid pixel format Benoit Parrot
2019-09-27 18:36 ` [Patch 09/16] media: ti-vpe: vpe: Make sure YUYV is set as default format Benoit Parrot
2019-09-27 18:36 ` [Patch 10/16] media: ti-vpe: vpe: fix a v4l2-compliance failure about invalid sizeimage Benoit Parrot
2019-09-27 18:36 ` [Patch 11/16] media: ti-vpe: vpe: fix a v4l2-compliance failure about frame sequence number Benoit Parrot
2019-09-27 18:36 ` [Patch 12/16] media: ti-vpe: vpe: ensure buffers are cleaned up properly in abort cases Benoit Parrot
2019-09-27 18:36 ` [Patch 13/16] media: ti-vpe: vpdma: Use fixed type for address in descriptor Benoit Parrot
2019-09-27 18:36 ` [Patch 14/16] media: ti-vpe: Set the DMA mask and coherent mask Benoit Parrot
2019-09-27 18:36 ` [Patch 15/16] media: ti-vpe: vpe: fix v4l2_compliance issue related to xfer_func Benoit Parrot
2019-09-27 18:36 ` [Patch 16/16] media: ti-vpe: vpe: don't rely on colorspace member for conversion Benoit Parrot
2019-09-30  9:05   ` Hans Verkuil
2019-09-30 20:24     ` Benoit Parrot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bbbf11174e1 dfblob:1278d457f75 )
 OR (
bs:"[Patch 07/16] media: ti-vpe: vpe: fix a v4l2-compliance failure causing a kernel panic" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190927183650.31345-8-bparrot@ti.com \
    --to=bparrot@ti.com \
    --cc=devicetree@vger.kernel.org \
    --cc=hverkuil@xs4all.nl \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox