* [PATCH] media: staging: media: omap4iss: Fix null dereference for iss
@ 2022-12-28 20:58 Tanmay Bhushan
2022-12-28 21:27 ` Laurent Pinchart
0 siblings, 1 reply; 3+ messages in thread
From: Tanmay Bhushan @ 2022-12-28 20:58 UTC (permalink / raw)
To: Laurent Pinchart, Mauro Carvalho Chehab, Greg Kroah-Hartman,
linux-media, linux-staging, linux-kernel
From 7aa39c0d02bddf9cfa14762f115303b79bfa0ae3 Mon Sep 17 00:00:00 2001
From: Tanmay Bhushan <007047221b@gmail.com>
Date: Wed, 28 Dec 2022 21:01:16 +0100
Subject: [PATCH] media: staging: media: omap4iss: Fix null dereference
for iss
media_pad_remote_pad_first returns NULL in some cases but while using
the return value was used without NULL check which will lead to panic
in case of NULL return. iss_pipeline_is_last returns value check so
have returned 0 in case of NULL and csi2_configure is not documented
for such cases so returned EINVAL for it. Code is not tested
as it is only for NULL dereference verification.
Signed-off-by: Tanmay Bhushan <007047221b@gmail.com>
---
drivers/staging/media/omap4iss/iss.c | 6 +++++-
drivers/staging/media/omap4iss/iss_csi2.c | 4 ++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/media/omap4iss/iss.c
b/drivers/staging/media/omap4iss/iss.c
index fa2a36d829d3..3f01eeff40e7 100644
--- a/drivers/staging/media/omap4iss/iss.c
+++ b/drivers/staging/media/omap4iss/iss.c
@@ -552,7 +552,11 @@ static int iss_pipeline_is_last(struct
media_entity *me)
if (!pipe || pipe->stream_state ==
ISS_PIPELINE_STREAM_STOPPED)
return 0;
pad = media_pad_remote_pad_first(&pipe->output->pad);
- return pad->entity == me;
+
+ if (pad)
+ return pad->entity == me;
+
+ return 0;
}
static int iss_reset(struct iss_device *iss)
diff --git a/drivers/staging/media/omap4iss/iss_csi2.c
b/drivers/staging/media/omap4iss/iss_csi2.c
index 04ce0e7eb557..ab2c2ad64464 100644
--- a/drivers/staging/media/omap4iss/iss_csi2.c
+++ b/drivers/staging/media/omap4iss/iss_csi2.c
@@ -539,6 +539,10 @@ static int csi2_configure(struct iss_csi2_device
*csi2)
return -EBUSY;
pad = media_pad_remote_pad_first(&csi2->pads[CSI2_PAD_SINK]);
+
+ if (!pad)
+ return -EINVAL;
+
sensor = media_entity_to_v4l2_subdev(pad->entity);
pdata = sensor->host_priv;
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] media: staging: media: omap4iss: Fix null dereference for iss
2022-12-28 20:58 [PATCH] media: staging: media: omap4iss: Fix null dereference for iss Tanmay Bhushan
@ 2022-12-28 21:27 ` Laurent Pinchart
[not found] ` <CAKKF0qA8oB7ZkkQ5-bj=66sP+WmjL6gUDV5EMTBM3SSW5_+qXA@mail.gmail.com>
0 siblings, 1 reply; 3+ messages in thread
From: Laurent Pinchart @ 2022-12-28 21:27 UTC (permalink / raw)
To: Tanmay Bhushan
Cc: Mauro Carvalho Chehab, Greg Kroah-Hartman, linux-media,
linux-staging, linux-kernel
Hi Tanmay,
Thank you for the patch.
On Wed, Dec 28, 2022 at 09:58:31PM +0100, Tanmay Bhushan wrote:
> From 7aa39c0d02bddf9cfa14762f115303b79bfa0ae3 Mon Sep 17 00:00:00 2001
> From: Tanmay Bhushan <007047221b@gmail.com>
> Date: Wed, 28 Dec 2022 21:01:16 +0100
> Subject: [PATCH] media: staging: media: omap4iss: Fix null dereference
> for iss
>
> media_pad_remote_pad_first returns NULL in some cases but while using
> the return value was used without NULL check which will lead to panic
> in case of NULL return. iss_pipeline_is_last returns value check so
> have returned 0 in case of NULL and csi2_configure is not documented
> for such cases so returned EINVAL for it. Code is not tested
> as it is only for NULL dereference verification.
>
> Signed-off-by: Tanmay Bhushan <007047221b@gmail.com>
> ---
> drivers/staging/media/omap4iss/iss.c | 6 +++++-
> drivers/staging/media/omap4iss/iss_csi2.c | 4 ++++
> 2 files changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/staging/media/omap4iss/iss.c
> b/drivers/staging/media/omap4iss/iss.c
> index fa2a36d829d3..3f01eeff40e7 100644
> --- a/drivers/staging/media/omap4iss/iss.c
> +++ b/drivers/staging/media/omap4iss/iss.c
> @@ -552,7 +552,11 @@ static int iss_pipeline_is_last(struct
> media_entity *me)
Your mail client wrapped lines, which prevents the patch from being
applied with git-am. I recommend using git-send-email to send patches.
https://git-send-email.io/ provides clear and detailed instructions on
how to set it up (especially when using gmail).
> if (!pipe || pipe->stream_state ==
> ISS_PIPELINE_STREAM_STOPPED)
> return 0;
> pad = media_pad_remote_pad_first(&pipe->output->pad);
> - return pad->entity == me;
Have you seen this actually crashing, or are you only speculating ? The
video node at the output of the pipeline should always be connected, so
I don't think media_pad_remote_pad_first() can ever return NULL here.
> +
> + if (pad)
> + return pad->entity == me;
> +
> + return 0;
> }
>
> static int iss_reset(struct iss_device *iss)
> diff --git a/drivers/staging/media/omap4iss/iss_csi2.c
> b/drivers/staging/media/omap4iss/iss_csi2.c
> index 04ce0e7eb557..ab2c2ad64464 100644
> --- a/drivers/staging/media/omap4iss/iss_csi2.c
> +++ b/drivers/staging/media/omap4iss/iss_csi2.c
> @@ -539,6 +539,10 @@ static int csi2_configure(struct iss_csi2_device
> *csi2)
> return -EBUSY;
>
> pad = media_pad_remote_pad_first(&csi2->pads[CSI2_PAD_SINK]);
> +
> + if (!pad)
> + return -EINVAL;
Same here, what makes you think this is possible ?
> +
> sensor = media_entity_to_v4l2_subdev(pad->entity);
> pdata = sensor->host_priv;
>
>
--
Regards,
Laurent Pinchart
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-12-29 7:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-28 20:58 [PATCH] media: staging: media: omap4iss: Fix null dereference for iss Tanmay Bhushan
2022-12-28 21:27 ` Laurent Pinchart
[not found] ` <CAKKF0qA8oB7ZkkQ5-bj=66sP+WmjL6gUDV5EMTBM3SSW5_+qXA@mail.gmail.com>
2022-12-29 7:14 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox