From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 07C9633CE86 for ; Fri, 8 May 2026 06:25:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778221561; cv=none; b=uomaO/RvH1YQHHG8etq0Az9GzaIWhiR6LUbncih9N3VAdvR2imGvgGJodYLo+6FKDjdjy+KKKRobSucrsVWh+kx7If1Fr5VwM1Nip+ssCUplsirP4ZoAj1ztnzFI1CWGPqtld4KzRRFYsMHmkz4sc3slXz5EnwVToe/CSuFnK3Q= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778221561; c=relaxed/simple; bh=cv5ZQ7RDUoTrqLqP4/sBLtA2dmTug073X/Xz8LbRrwI=; h=Message-ID:Date:MIME-Version:Subject:Cc:References:From: In-Reply-To:Content-Type; b=ta51L0RBj+Ur+LeSzb3Ge1fbeVPbcYNXmmyp/mNlouePtDxFS7UPfUcF3dl8j7OreJGCUWKotPBw2v2rAZc10riGRbnBWZrsHSKa7VfcIlufADyXcPukpaPiONy2ieeYK/g2cciNHsiJF52LY5OXoCNUCr9ZcXm/0ca5O2vvx6k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hkiq76oJ; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hkiq76oJ" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-48334ee0aeaso11875375e9.1 for ; Thu, 07 May 2026 23:25:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778221552; x=1778826352; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=q0B0EAR1P+R7f8BwrSFh3If6GSNF4WFFP1Xr/m/6H0Q=; b=hkiq76oJztIKKHP2vyTjA7A3tBvPKI5flwnsmFPr/a23dvqBfOMwXF6DZ+D2vD3ZNJ kSSi/w437REiHDFq1pc8nqEG9rB+r3BtpZXVBJD2KAUG2W4zrbsk6+XLN8mVm4wK1kmJ C2h+fS71dwDBIJL/3UQu1jY08esc7H5QNeGNG6SbVeZC+bM3RAXZH3/JIzaOdOgG6adf axgu6haPu0sIpgA69HLDdEN3WmmSQlKMNuISie/mkOKk8t18wntVicAyS8eQFh5Q3Qtb XN1kQVajkpVGHpgRlM3zZdGHhy4n2895PnVTkrh6MY7itygfwsJtRixTYC88VQmwvSXO 4pTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778221552; x=1778826352; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=q0B0EAR1P+R7f8BwrSFh3If6GSNF4WFFP1Xr/m/6H0Q=; b=q0+dOG8uIcowWuJceN4roTje7G8sKsvRa1d4xzs2T1x146YWZJSY5MWxPaKm/WZczw JqhNNGwLAjxulzBsHPSzscE4DNuRUI8KzHOI39B1apXSkKv6OizylHNMOsriz33ik1+z PIHkSS7JyslzPZOIqDrge5/5s5L/oX8d+K1URZRHjTCDqc2xjFKQ0Cs6TDT85gUV8000 yUkY72fguXqTdErhaYE6acgrmate+Jd3UCCFESo2WClxh569+VGhVdgAXWeMJlFzfWos c1kzdBQ8e00tKcayYiHw88HzhiJVez4vVVLKiscnpr4T2RSZoj+I8hU4UOS7TlRRVXOS u0ag== X-Forwarded-Encrypted: i=1; AFNElJ9ccdEerNxrCOvqmyg+3aexky8h/zrpDKW0/xw9dPsKAZM7LOIxtIpCJWsF5LQbBF3Iq+C2SqZ/8Or5Gkc=@vger.kernel.org X-Gm-Message-State: AOJu0Yyjk78mT7AfNTSgUHpJqRFBIhCpUqbcjJlyhe5yW8yG5NiC2cUh 692T6JuYl4SMVgsuGtyUBdZTGwR2BN5r0t7Kfy6ZeovAiDugzQabx2w7CAuGBPpT X-Gm-Gg: AeBDietfd3amV5EzreP9tMpV3H9k8zV+PRAoIc1tPN+X2/Ft13q0y/4qZ+T+B9FMk7K WjyCiprEryfTNcbZgZjMK5/ldbYknfEI/iZxDO5pOXAAqVt5RuotJKMUZlUXqKfT4k2TqXivaaI H+sw+IJPsTtMNHfy4pQwzt0cM8iZ91QQd6LBPF/Q7Y3xHfHGmiBXR1A5BThM0Nvl9ZbPC0gaYL2 F7toYOHETvAWMdzGtPFFOC97h6QSoB439Z4YMvbqrC3nXAtrWQZj5Sd+3ORwECfjINJpuUQOFeg IqZtApy5dcPz3J+0alHBPsSGONRpkNE3AyYYnIholKe6xRoXeHPpgDHxd8xuAl0HuCqT5C0UYVT hcvVqOGBpsN4LEXAOkwyh+cdfprFpCKFsihEvXo3XvPd5mAXAQ46+KwYNRmLJyMcuPw4IIUcWj5 lA5JNM5K3DBtV3GJ0P8lf4VzqpUQw9dM5xhuzsexDBmblnXrK3bsIT9x+sTTJl68Q1CfmMQzmI X-Received: by 2002:a05:600c:6290:b0:485:3f30:6250 with SMTP id 5b1f17b1804b1-48e51f3fd58mr196699875e9.20.1778221551502; Thu, 07 May 2026 23:25:51 -0700 (PDT) Received: from ?IPV6:2a02:8109:8617:d700:d9bb:cdec:69e5:2f8e? ([2a02:8109:8617:d700:d9bb:cdec:69e5:2f8e]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e642d1e5csm12599585e9.3.2026.05.07.23.25.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 07 May 2026 23:25:50 -0700 (PDT) Message-ID: Date: Fri, 8 May 2026 08:25:49 +0200 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v2] media: i2c: alvium: fix critical pointer access in alvium_ctrl_init Cc: sakari.ailus@linux.intel.com, martin.hecht@avnet.eu, michael.roeder@avnet.eu, stable@vger.kernel.org, Tommaso Merciai , Mauro Carvalho Chehab , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org References: <20260508045332.360004-1-mhecht73@gmail.com> Content-Language: en-US From: Martin Hecht In-Reply-To: <20260508045332.360004-1-mhecht73@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi all, please ignore that misleading patch. I send the wrong file. I set the status on patchwork on obsolete. I'm preparing v3 after cleanup. Kindly regards, Martin On 5/8/26 06:53, Martin Hecht wrote: > The current implementation of alvium_ctrl_init creates several controls > in function alvium_ctrl_init and uses the returned pointer without > check. That can cause write access over NULL-pointer for several > controls. > The reworked code checks the pointers before adding flags and also it > creates controls for V4L2_CID_BLUE_BALANCE and V4L2_CID_RED_BALANCE only > if supported by the particular camera model. > > Fixes: 0a7af872915e ("media: i2c: Add support for alvium camera") > Cc: stable@vger.kernel.org > Signed-off-by: Martin Hecht > --- > drivers/media/i2c/alvium-csi2.c | 72 +++++++++++++++++++-------------- > 1 file changed, 42 insertions(+), 30 deletions(-) > > diff --git a/drivers/media/i2c/alvium-csi2.c b/drivers/media/i2c/alvium-csi2.c > index b62b45a4f2fc..43535ba7a264 100644 > --- a/drivers/media/i2c/alvium-csi2.c > +++ b/drivers/media/i2c/alvium-csi2.c > @@ -2100,34 +2100,41 @@ static int alvium_ctrl_init(struct alvium_dev *alvium) > V4L2_CID_PIXEL_RATE, 0, > ALVIUM_DEFAULT_PIXEL_RATE_MHZ, 1, > ALVIUM_DEFAULT_PIXEL_RATE_MHZ); > - ctrls->pixel_rate->flags |= V4L2_CTRL_FLAG_READ_ONLY; > + if (ctrls->pixel_rate) > + ctrls->pixel_rate->flags |= V4L2_CTRL_FLAG_READ_ONLY; > > /* Link freq is fixed */ > ctrls->link_freq = v4l2_ctrl_new_int_menu(hdl, ops, > V4L2_CID_LINK_FREQ, > 0, 0, &alvium->link_freq); > - ctrls->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY; > - > - /* Auto/manual white balance */ > + if (ctrls->link_freq) > + ctrls->link_freq->flags |= V4L2_CTRL_FLAG_READ_ONLY; > + > + /* manual white balance */ > + if (alvium->avail_ft.whiteb) { > + ctrls->blue_balance = v4l2_ctrl_new_std(hdl, ops, > + V4L2_CID_BLUE_BALANCE, > + alvium->min_bbalance, > + alvium->max_bbalance, > + alvium->inc_bbalance, > + alvium->dft_bbalance); > + > + ctrls->red_balance = v4l2_ctrl_new_std(hdl, ops, > + V4L2_CID_RED_BALANCE, > + alvium->min_rbalance, > + alvium->max_rbalance, > + alvium->inc_rbalance, > + alvium->dft_rbalance); > + } > + > + /* Auto white balance */ > if (alvium->avail_ft.auto_whiteb) { > ctrls->auto_wb = v4l2_ctrl_new_std(hdl, ops, > V4L2_CID_AUTO_WHITE_BALANCE, > 0, 1, 1, 1); > - v4l2_ctrl_auto_cluster(3, &ctrls->auto_wb, 0, false); > - } > - > - ctrls->blue_balance = v4l2_ctrl_new_std(hdl, ops, > - V4L2_CID_BLUE_BALANCE, > - alvium->min_bbalance, > - alvium->max_bbalance, > - alvium->inc_bbalance, > - alvium->dft_bbalance); > - ctrls->red_balance = v4l2_ctrl_new_std(hdl, ops, > - V4L2_CID_RED_BALANCE, > - alvium->min_rbalance, > - alvium->max_rbalance, > - alvium->inc_rbalance, > - alvium->dft_rbalance); > + if (ctrls->auto_wb) > + v4l2_ctrl_auto_cluster(3, &ctrls->auto_wb, 0, false); > + } > > /* Auto/manual exposure */ > if (alvium->avail_ft.auto_exp) { > @@ -2136,7 +2143,9 @@ static int alvium_ctrl_init(struct alvium_dev *alvium) > V4L2_CID_EXPOSURE_AUTO, > V4L2_EXPOSURE_MANUAL, 0, > V4L2_EXPOSURE_AUTO); > - v4l2_ctrl_auto_cluster(2, &ctrls->auto_exp, 1, true); > + if (ctrls->auto_exp) > + v4l2_ctrl_auto_cluster(2, &ctrls->auto_exp, > + V4L2_EXPOSURE_MANUAL, true); > } > > ctrls->exposure = v4l2_ctrl_new_std(hdl, ops, > @@ -2145,15 +2154,8 @@ static int alvium_ctrl_init(struct alvium_dev *alvium) > alvium->max_exp, > alvium->inc_exp, > alvium->dft_exp); > - ctrls->exposure->flags |= V4L2_CTRL_FLAG_VOLATILE; > - > - /* Auto/manual gain */ > - if (alvium->avail_ft.auto_gain) { > - ctrls->auto_gain = v4l2_ctrl_new_std(hdl, ops, > - V4L2_CID_AUTOGAIN, > - 0, 1, 1, 1); > - v4l2_ctrl_auto_cluster(2, &ctrls->auto_gain, 0, true); > - } > + if (ctrls->exposure) > + ctrls->exposure->flags |= V4L2_CTRL_FLAG_VOLATILE; > > if (alvium->avail_ft.gain) { > ctrls->gain = v4l2_ctrl_new_std(hdl, ops, > @@ -2162,7 +2164,17 @@ static int alvium_ctrl_init(struct alvium_dev *alvium) > alvium->max_gain, > alvium->inc_gain, > alvium->dft_gain); > - ctrls->gain->flags |= V4L2_CTRL_FLAG_VOLATILE; > + if (ctrls->gain) > + ctrls->gain->flags |= V4L2_CTRL_FLAG_VOLATILE; > + } > + > + /* Auto/manual gain */ > + if (alvium->avail_ft.auto_gain) { > + ctrls->auto_gain = v4l2_ctrl_new_std(hdl, ops, > + V4L2_CID_AUTOGAIN, > + 0, 1, 1, 1); > + if (ctrls->auto_gain) > + v4l2_ctrl_auto_cluster(2, &ctrls->auto_gain, 0, true); > } > > if (alvium->avail_ft.sat)