Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp509306rwn; Thu, 8 Sep 2022 05:10:59 -0700 (PDT) X-Google-Smtp-Source: AA6agR4KyuvvmlgrdFMg2RgTVo8TiswrzyPTUlLzDKilpvSLOKlWn7o/0BB0BXYO7ajZnbLFQqSc X-Received: by 2002:a17:907:75c2:b0:770:7bb7:9412 with SMTP id jl2-20020a17090775c200b007707bb79412mr5893351ejc.638.1662639059511; Thu, 08 Sep 2022 05:10:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662639059; cv=none; d=google.com; s=arc-20160816; b=ve8SDFETVpZH30wCc5nf05kIul8Y3fmYGQKAqih4h50MJgUPelOQ5zUO/L2rX6UXJ7 g3f8Bb4XDhrnIHcPH7MWJ3ComTE9TMcVoftOLmzUaR9f77U2ShX95RQqYXJbPrChdX3h e1tkhpQ5zqEh/I54tuof7/pcUOTR4CGeCkE+w2+ihLBKiXNd6Yh6QafIa1iUeh1bzopj xRb9U6SBmIIcQNuYStX8VWPMmC5+Bxh12QffJE1XaJiO6p+NRdleGYPNV1wHpWGsZKav /WVOLjX49wrTm5w81oJikU0DWRXk+mRc7sXwSdXqJtH4rTxS7POQ9xm2rEpfcKMB8Zrr jHVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=9BfvJ9nevcd3pfM5hH3nmTSMwOGp4OxnA9ApxxcOuwM=; b=EsEN8v7gPZ4HHPQvHnWyelub7cMalWZZYiJF8ZxOcm46XyDxO+yYIM8o41pN5Zkbjj zvr+61yx3pHy8sfXRRyJZIWOTnqB2zf44+F3IPtkCk0hyZ3awrRxBIjHX53VmYjO3+Na dz4sn2br188SFUTQHSTO+X2Nq7nf1PE9UeXnRjgGCEA0f7yoWZiC6G1sMLmgeVGml71C cS/qycK8s2eHCm4Ix/63F64mOgkxGlJHmbOTo5XO8KGNuIS1A5sCh57NEh/6q63FKvY7 Ji+dHKgN+oMpyiwNLhPJydpLJwmQgcPMqTnRhsMdi5F3T14zhaxcukWN3UMSGKdDYWsV DJ0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=CGVdRO08; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w23-20020a170906d21700b00738346168dcsi1691347ejz.811.2022.09.08.05.10.34; Thu, 08 Sep 2022 05:10:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@ideasonboard.com header.s=mail header.b=CGVdRO08; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230319AbiIHMIg (ORCPT + 99 others); Thu, 8 Sep 2022 08:08:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43660 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231553AbiIHMIe (ORCPT ); Thu, 8 Sep 2022 08:08:34 -0400 Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56533F5C6F; Thu, 8 Sep 2022 05:08:33 -0700 (PDT) Received: from [192.168.1.111] (91-158-154-79.elisa-laajakaista.fi [91.158.154.79]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 90137888; Thu, 8 Sep 2022 14:08:29 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1662638910; bh=CkG/MazVFplR8mYzQrftiKr7OKNvPkPqMPac0VAkq94=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=CGVdRO08SxMJyaJrSafYnAPBd6fMzPWt3e8RmFAVovNvy3bPJdtkmMtWaS9k1/MjT egVDt55JlacdzaulDZdS6pWpDvWtx4UPEFPb9dsu0+LAa49L+J1kCk8piv9Hg1oXEL tyUR45KODpQH9CfRTxOMvELUS90U8SAm3o5QtjLs= Message-ID: Date: Thu, 8 Sep 2022 15:08:27 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH] ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection() Content-Language: en-US To: Maximilian Luz , Sakari Ailus Cc: Bingbu Cao , Tianshu Qiu , Mauro Carvalho Chehab , Greg Kroah-Hartman , Laurent Pinchart , Hans Verkuil , linux-media@vger.kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20220907224409.3187482-1-luzmaximilian@gmail.com> From: Tomi Valkeinen In-Reply-To: <20220907224409.3187482-1-luzmaximilian@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/09/2022 01:44, Maximilian Luz wrote: > Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose() > with a subdev state of NULL leads to a NULL pointer dereference. This > can currently happen in imgu_subdev_set_selection() when the state > passed in is NULL, as this method first gets pointers to both the "try" > and "active" states and only then decides which to use. > > The same issue has been addressed for imgu_subdev_get_selection() with > commit 30d03a0de650 ("ipu3-imgu: Fix NULL pointer dereference in active > selection access"). However the issue still persists in > imgu_subdev_set_selection(). > > Therefore, apply a similar fix as done in the aforementioned commit to > imgu_subdev_set_selection(). To keep things a bit cleaner, introduce > helper functions for "crop" and "compose" access and use them in both > imgu_subdev_set_selection() and imgu_subdev_get_selection(). > > Fixes: 0d346d2a6f54 ("media: v4l2-subdev: add subdev-wide state struct") > Cc: stable@vger.kernel.org # for v5.14 and later > Signed-off-by: Maximilian Luz > --- > drivers/staging/media/ipu3/ipu3-v4l2.c | 57 +++++++++++++++----------- > 1 file changed, 34 insertions(+), 23 deletions(-) > > diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c > index ce13e746c15f..e530767e80a5 100644 > --- a/drivers/staging/media/ipu3/ipu3-v4l2.c > +++ b/drivers/staging/media/ipu3/ipu3-v4l2.c > @@ -188,6 +188,28 @@ static int imgu_subdev_set_fmt(struct v4l2_subdev *sd, > return 0; > } > > +static struct v4l2_rect * > +imgu_subdev_get_crop(struct imgu_v4l2_subdev *sd, > + struct v4l2_subdev_state *sd_state, unsigned int pad, > + enum v4l2_subdev_format_whence which) > +{ > + if (which == V4L2_SUBDEV_FORMAT_TRY) > + return v4l2_subdev_get_try_crop(&sd->subdev, sd_state, pad); > + else > + return &sd->rect.eff; > +} > + > +static struct v4l2_rect * > +imgu_subdev_get_compose(struct imgu_v4l2_subdev *sd, > + struct v4l2_subdev_state *sd_state, unsigned int pad, > + enum v4l2_subdev_format_whence which) > +{ > + if (which == V4L2_SUBDEV_FORMAT_TRY) > + return v4l2_subdev_get_try_compose(&sd->subdev, sd_state, pad); > + else > + return &sd->rect.bds; > +} If I understand right, these functions are only called with pad 0 (IMGU_NODE_IN). I would drop the pad argument here and use IMGU_NODE_IN. Otherwise it gives a false idea that other pads could be used with these functions, and that would fail for the V4L2_SUBDEV_FORMAT_ACTIVE case. However, that's not a big issue. With or without the change: Reviewed-by: Tomi Valkeinen Tomi