From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 62D7E372EF5 for ; Fri, 8 May 2026 09:59:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778234359; cv=none; b=aJzoQGZMVGL4v/oCf3CjpufOzKByrPKlpzxzWXThABJqlMsA18fbG/nVlxhJAlAAP6/XBqDof5//+ANZf3Ug5yMJalDXgxuzO3oUqm5uOkKjxmJExkjsPVkKgbFemx9OTop77Ks9oqxLP+4bC5exQJxVbqY2/9btxJxYxNEC5kA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778234359; c=relaxed/simple; bh=qDpRiVP7yy2vZXwlKwWWMHcQ60seEAa9/LRbPd9AM5o=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=LJRE6OrwZZJFe4DzkewePdeax1bDVT3aF20eqUhBLWOd+WD153GyuR3V01LhbyQpZR8p4BvpxtE93LBJEGcJsYa4r4q3A0WmEM1t5IxmcU+nFA71Ubj8FC0JihQEBw7j32j/iw4iXPTzvD1fBbUxxHudhQjiuXzjtcITOKvlGFc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZKxAwJu9; arc=none smtp.client-ip=209.85.221.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZKxAwJu9" Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-44ccbd3290aso1368998f8f.2 for ; Fri, 08 May 2026 02:59:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778234356; x=1778839156; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=5LpTxIGRwThEUVNq/DxFwIbrwCO3s6L/v7P5s8pgCg4=; b=ZKxAwJu9kqWVj3eSgqSZIlQu0VyzY+hEfDRLIxLku0kHnGrn3VdmEsnMblYRpD4gN+ ApkSWa5WuNaApknB8j1hHgT3pZ5l64BO5Znz+8eTTS5H5Zxt2UyI46LOKjYYO4Uwa6x8 zP5Ej2gCTE9+Jwh39cqe61ld1X26Up2ed8UME59yLsHfMVUxK37P2WuC35WM5Z1cVqvm bjh7V+5cLziRRvo54q3oUmQRrB5wqnkCOMTtVNUQlZ5NE04uQgUtGBT5ov2mSExDYNgU 4rkTdbe1p5Z1nsRkbHgH7H4AhFmPZmEap6VqVStHq0IhZktg/o7HRAyg7LaXSfMXDo4J hSJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778234356; x=1778839156; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5LpTxIGRwThEUVNq/DxFwIbrwCO3s6L/v7P5s8pgCg4=; b=EqUOQC6mYOKNdIMglIADoFa9k8ohbtPy8k0eym92lKj6aJse4A8SpIeo4T9TKyLIv5 ZaDg2tvN3Rc03eYLYj7iFdZg+SGA6sEeysspHsvUrrqQtbuoCiQL93vxYplDGJhpWAI2 GIk1Xfzc3QEOvWh1fljjXwhvKl/uOi9ywjKtWnfyW6YRf9WN0AFj/9V2FeEyTpzTIEEL 7jccD15kG4SKEK77FUyewb+pIiPVUGMKISKHFdPZF0A9juRpQw7Yrfh5ZQRf4ElhVDUa dZ2ZEmcwjZ94NYyuzKmBl0dfBtPZ9ME0mqUx1vLiqDhpO6LLrLnDaKZUiWjfLDPg9l1p 3WFA== X-Forwarded-Encrypted: i=1; AFNElJ8Tl9y1z8CJzFlbBpOOWC3QsTBKhsPrVOTUuG4xL6jqH99TSyUghwXR0KWnIFg+16Xt/DYknGTc8PVroKw=@vger.kernel.org X-Gm-Message-State: AOJu0YxvGYzRg4EHXvW07K6+GvXWiWHFBuZANHTJtlP8ZpAVc5t9OxQg euoBddGLY/Bf14biBvVuTIyYvtIB/WoOQaPF2ZloKqoPqmM2SLq8jBU8 X-Gm-Gg: Acq92OHGIhV6mmZJRe7PER0LdBaqa2XigqY0OBdr/tJM92oMtkqDTkcgZz+YWaOvDad CxbnVdJGPs/IDci6MihRa5qh9RGVoJ55GkhMVZWSDHEZlYRTi8SWlCMKfsNuqm/UBCijP+fJl4r wMdh/1wedo/4Ra3xOhbh6eXcdIUPzEXWo6BdkMBlE4Ry1b9zR4g7AbijIUDBWshrMUtIdbd76kj maf8tzyWNFYVCEQyZAE9kt1M7XIZNJJa6VtXAF4NIPQnxxMcBdkRRQhX59QM0DD4mNb/PJYP856 qIynBy3zOqRv1L80NUmqb8KZW9/oDJ5nGI7iN8jOiRWcb5IFUea8uOXi9tKnK5SnIrBUv6dgfQ1 ADOFYeTrhT7f3Z4e5Zm96NTE/rMWbUMxtur9q83/vwnHbtWChdo2Kq7T15tsJroSNIrUyeVrglA 2CWwJ7iIwlQqBPcr8CSlj+DPA= X-Received: by 2002:a05:6000:2586:b0:43d:dd:8ca4 with SMTP id ffacd0b85a97d-4515b61bcc3mr18843966f8f.14.1778234355604; Fri, 08 May 2026 02:59:15 -0700 (PDT) Received: from avt74j0.. ([2a02:8109:8617:d700:d9bb:cdec:69e5:2f8e]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4549120f1f9sm3060894f8f.24.2026.05.08.02.59.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2026 02:59:15 -0700 (PDT) From: Martin Hecht To: Cc: sakari.ailus@linux.intel.com, martin.hecht@avnet.eu, michael.roeder@avnet.eu, stable@vger.kernel.org, Martin Hecht , Tommaso Merciai , Mauro Carvalho Chehab , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3] media: i2c: alvium: fix critical pointer access in alvium_ctrl_init Date: Fri, 8 May 2026 11:59:03 +0200 Message-ID: <20260508095906.500220-1-mhecht73@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The current implementation of alvium_ctrl_init creates several controls in function alvium_ctrl_init and uses the returned pointer without check. That can cause write access over NULL-pointer for several controls. The reworked code checks the pointers before adding flags. Fixes: 0a7af872915e ("media: i2c: Add support for alvium camera") Cc: stable@vger.kernel.org Signed-off-by: Martin Hecht --- Changes in v3 (since v1): - Split conditional creation of manual WB controls into another patch. - Limit changes only on checking returned pointer values. - ctrls->pixel_rate->flags is readonly by default, no need to replicate that. Changes in v2: - Has been rewoked completely because file was brocken. --- drivers/media/i2c/alvium-csi2.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/drivers/media/i2c/alvium-csi2.c b/drivers/media/i2c/alvium-csi2.c index b62b45a4f2fc..f51f9b987759 100644 --- a/drivers/media/i2c/alvium-csi2.c +++ b/drivers/media/i2c/alvium-csi2.c @@ -2100,20 +2100,21 @@ static int alvium_ctrl_init(struct alvium_dev *alvium) V4L2_CID_PIXEL_RATE, 0, ALVIUM_DEFAULT_PIXEL_RATE_MHZ, 1, ALVIUM_DEFAULT_PIXEL_RATE_MHZ); - ctrls->pixel_rate->flags |= V4L2_CTRL_FLAG_READ_ONLY; /* Link freq is fixed */ ctrls->link_freq = v4l2_ctrl_new_int_menu(hdl, ops, V4L2_CID_LINK_FREQ, 0, 0, &alvium->link_freq); - ctrls->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY; + if (ctrls->link_freq) + ctrls->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY; /* Auto/manual white balance */ if (alvium->avail_ft.auto_whiteb) { ctrls->auto_wb = v4l2_ctrl_new_std(hdl, ops, V4L2_CID_AUTO_WHITE_BALANCE, 0, 1, 1, 1); - v4l2_ctrl_auto_cluster(3, &ctrls->auto_wb, 0, false); + if (ctrls->auto_wb) + v4l2_ctrl_auto_cluster(3, &ctrls->auto_wb, 0, false); } ctrls->blue_balance = v4l2_ctrl_new_std(hdl, ops, @@ -2122,6 +2123,7 @@ static int alvium_ctrl_init(struct alvium_dev *alvium) alvium->max_bbalance, alvium->inc_bbalance, alvium->dft_bbalance); + ctrls->red_balance = v4l2_ctrl_new_std(hdl, ops, V4L2_CID_RED_BALANCE, alvium->min_rbalance, @@ -2136,7 +2138,9 @@ static int alvium_ctrl_init(struct alvium_dev *alvium) V4L2_CID_EXPOSURE_AUTO, V4L2_EXPOSURE_MANUAL, 0, V4L2_EXPOSURE_AUTO); - v4l2_ctrl_auto_cluster(2, &ctrls->auto_exp, 1, true); + if (ctrls->auto_exp) + v4l2_ctrl_auto_cluster(2, &ctrls->auto_exp, + V4L2_EXPOSURE_MANUAL, true); } ctrls->exposure = v4l2_ctrl_new_std(hdl, ops, @@ -2145,14 +2149,16 @@ static int alvium_ctrl_init(struct alvium_dev *alvium) alvium->max_exp, alvium->inc_exp, alvium->dft_exp); - ctrls->exposure->flags |= V4L2_CTRL_FLAG_VOLATILE; + if (ctrls->exposure) + ctrls->exposure->flags |= V4L2_CTRL_FLAG_VOLATILE; /* Auto/manual gain */ if (alvium->avail_ft.auto_gain) { ctrls->auto_gain = v4l2_ctrl_new_std(hdl, ops, V4L2_CID_AUTOGAIN, 0, 1, 1, 1); - v4l2_ctrl_auto_cluster(2, &ctrls->auto_gain, 0, true); + if (ctrls->auto_gain) + v4l2_ctrl_auto_cluster(2, &ctrls->auto_gain, 0, true); } if (alvium->avail_ft.gain) { @@ -2162,7 +2168,8 @@ static int alvium_ctrl_init(struct alvium_dev *alvium) alvium->max_gain, alvium->inc_gain, alvium->dft_gain); - ctrls->gain->flags |= V4L2_CTRL_FLAG_VOLATILE; + if (ctrls->gain) + ctrls->gain->flags |= V4L2_CTRL_FLAG_VOLATILE; } if (alvium->avail_ft.sat) -- 2.43.0