Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965490AbcJFIsP (ORCPT <rfc822;w@1wt.eu>);
        Thu, 6 Oct 2016 04:48:15 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:48570 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S964981AbcJFIsN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 6 Oct 2016 04:48:13 -0400
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>,
        Mauro Carvalho Chehab <mchehab@s-opensource.com>
Subject: [PATCH 4.7 083/141] [media] v4l: vsp1: Fix crash when resetting pipeline
Date: Thu,  6 Oct 2016 10:28:39 +0200
Message-Id: <20161006074452.320102459@linuxfoundation.org>
X-Mailer: git-send-email 2.10.0
In-Reply-To: <20161006074448.608056610@linuxfoundation.org>
References: <20161006074448.608056610@linuxfoundation.org>
User-Agent: quilt/0.64
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1968
Lines: 58

4.7-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>

commit d69e40fade97b6b19837c1772efa516bc28cc870 upstream.

The vsp1_pipeline_reset() function loops over pipeline inputs and output
and resets them. When doing so it assumes both that the pipeline has
been correctly configured with an output, and that inputs are are stored
in the pipe inputs array at positions 0 to num_inputs-1.

Both the assumptions are incorrect. The pipeline might need to be reset
after a failed attempts to configure it, without any output specified.
Furthermore, inputs are stored in a positiong equal to their RPF index,
possibly creating holes in the inputs array if the RPFs are not used in
sequence.

Fix both issues by looping over the whole inputs array and skipping
unused entries, and ignoring the output when not set.

Fixes: ff7e97c94d9f ("[media] v4l: vsp1: Store pipeline pointer in rwpf")

Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/platform/vsp1/vsp1_pipe.c |   14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

--- a/drivers/media/platform/vsp1/vsp1_pipe.c
+++ b/drivers/media/platform/vsp1/vsp1_pipe.c
@@ -172,13 +172,17 @@ void vsp1_pipeline_reset(struct vsp1_pip
 			bru->inputs[i].rpf = NULL;
 	}
 
-	for (i = 0; i < pipe->num_inputs; ++i) {
-		pipe->inputs[i]->pipe = NULL;
-		pipe->inputs[i] = NULL;
+	for (i = 0; i < ARRAY_SIZE(pipe->inputs); ++i) {
+		if (pipe->inputs[i]) {
+			pipe->inputs[i]->pipe = NULL;
+			pipe->inputs[i] = NULL;
+		}
 	}
 
-	pipe->output->pipe = NULL;
-	pipe->output = NULL;
+	if (pipe->output) {
+		pipe->output->pipe = NULL;
+		pipe->output = NULL;
+	}
 
 	INIT_LIST_HEAD(&pipe->entities);
 	pipe->state = VSP1_PIPELINE_STOPPED;