Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp238920lqo;
        Tue, 7 May 2024 19:52:31 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXwuv/lzblUgwFPsFCB5sPWAzoAfjJM2vjHGwp8LmE6ldgm5Lo3IX+a9UUlffaFcDNSln2gGdmg29kv7QUxbb5OyX+XijQm1v8TF4ZWDg==
X-Google-Smtp-Source: AGHT+IGWLXcLbF2+jC7fmgINVQogTHAFWmWzrfNc6cil6zo9fGoKf7Wzr9kbu5ttm+68OWCGPhT0
X-Received: by 2002:a05:6a20:ce4b:b0:1af:cc84:f7ec with SMTP id adf61e73a8af0-1afcc84f91dmr64641637.4.1715136751423;
        Tue, 07 May 2024 19:52:31 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715136751; cv=pass;
        d=google.com; s=arc-20160816;
        b=yd9yrr8IYG29xFvNx2TXSLCk8hf7LjdGv/F/HXCvQrieqhf0un3GFwTupARTz+brt8
         jfV0bLmYMFIe/LNim0gVt1uwC6NwEn1pLg84OMSvtUNe3ioR1JQPkT49HLB7q96uZACF
         9CZhDXvZ1TXfhv2OUQH8/uhoeKWX8iD+wWjAJi/kMtk0zv8bh1jTCBEPYgOD6kMGj/50
         381tOUMs2DOQN/HvnQNMweoWdC6D3mhEjSbY4S0EPwF6EPFwxU+uZi2B6oVZfq34Nnl3
         uNScmyP5sWtxH+tTSQAZht8rrhDBRmfPXBjCmlp2VFhGx79QB10c3AxiGNViaQnImfQK
         i7bg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=geZdhczy5v3XzQr5jvBujPytnWZIYj7CXxZvY/BFYqI=;
        fh=YzE8wzG7P0oOUPyNHLrEu+5nxrkaMcQO78EaXnBngmU=;
        b=i+l+3xlDMb0Rz4oFGzrGCIdzoGYZrplevudAvjqoy0xo+KYFmLL8XeuLk3/lePa04h
         oRu8Mok+gt/6S1BKf494FyaUq10chvJbtA41K5tVCVMQu2IN6L0HkLZ4abl93C+274eE
         DjsAXjACI7S5pnoisIjJ1ZlSjX351sAtWYAZmL2aofcLFcybX3AYubKz0GggkfpD9yUb
         ICprrUny3d8x4Z+8yen37jWLL+GNXbavRHbIcAuquaRCgrRqlPuyE5py3dnYEEAxmyRp
         lfzhoos+zDmOep+Ic5x3PzO4QoGRMsJciWPNtiJ7aGrkjLaOdBv22R8AWPI4089x7oq6
         5GUg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@richtek.com header.s=richtek header.b=id37CP6Y;
       arc=pass (i=1 spf=pass spfdomain=richtek.com dkim=pass dkdomain=richtek.com dmarc=pass fromdomain=richtek.com);
       spf=pass (google.com: domain of linux-kernel+bounces-172641-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172641-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=richtek.com
Return-Path: <linux-kernel+bounces-172641-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id i1-20020a17090a650100b002b44e772a7asi412478pjj.122.2024.05.07.19.52.31
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 07 May 2024 19:52:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-172641-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@richtek.com header.s=richtek header.b=id37CP6Y;
       arc=pass (i=1 spf=pass spfdomain=richtek.com dkim=pass dkdomain=richtek.com dmarc=pass fromdomain=richtek.com);
       spf=pass (google.com: domain of linux-kernel+bounces-172641-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-172641-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=richtek.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id EF8C128252D
	for <linux.lists.archive@gmail.com>; Wed,  8 May 2024 02:52:30 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id BD2F413ADC;
	Wed,  8 May 2024 02:52:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=richtek.com header.i=@richtek.com header.b="id37CP6Y"
Received: from mg.richtek.com (mg.richtek.com [220.130.44.152])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 2EFB35228;
	Wed,  8 May 2024 02:52:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=220.130.44.152
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715136742; cv=none; b=XPaSiv5BSBH+5dcTXoKWjFlBFZGqDcxb00iFylQNpcld/18vfSMnV2i2OuVvEpikf2A5dQAIVBuH1rGTfVrR2BGxh4h1sAaB03JDaVFI/VV70KQvW5dcIyIThR+SdkywPxzBDfhfe5lJkGdZztj++TaOKXckjj/PO2WiOOYifb4=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715136742; c=relaxed/simple;
	bh=tsvoE3t4+nq4hodQWrfVGpaWSOPtMpX3lIjRqCsujEM=;
	h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=OSez/8QrUIQlecBVaAEWrqoOeFovNyjU+upkAfSyt/e8BzIfNwBMyXiIbLNSJe99wGMIg84ZWO6iBzB5uzM4CTLQ28T80FlAvKBV8H1q3LiWUy1Swq6rYf0dfvTXnl3CLmhU6JSYVR6uVrKj0/rXx4c6yMn+qF9vDeKMXvm41PY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=richtek.com; spf=pass smtp.mailfrom=richtek.com; dkim=pass (2048-bit key) header.d=richtek.com header.i=@richtek.com header.b=id37CP6Y; arc=none smtp.client-ip=220.130.44.152
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=richtek.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=richtek.com
X-MailGates: (SIP:2,PASS,NONE)(compute_score:DELIVER,40,3)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=richtek.com;
	s=richtek; t=1715136732;
	bh=geZdhczy5v3XzQr5jvBujPytnWZIYj7CXxZvY/BFYqI=; l=2046;
	h=From:To:Subject:Date:Message-ID:MIME-Version;
	b=id37CP6YkKhYhgqRjFkjxptdViRINuLDgWY5XIHLuHlIhDH9AC9VsZ+J1yccfFJrv
	 VkRI2G2LrRGX4SIGLWHBCtzdqNKOvZgXI4hEBfoQhNnV9gKI6oZTOIK7dgPc2SN2RK
	 8eVufmhDN2MGPgOpycCoGD002U59IN1gLig1DWa7ENX4fkPlLui3IfZCSW+HO8evDy
	 lyG5DpHAqXbURTHsvX/zjij+OIiM4wXxfDONJlHeVss5VdeRzLwUTmZlGB96A14VaV
	 Ut3MFWHdXY7zvzyzwJtV19qE6agbi+HGvpheUtP2bV7jBx+tkpRerBjcqop3cP+50H
	 oRZ4FaMCf5Wzw==
Received: from 192.168.10.46
	by mg.richtek.com with MailGates ESMTPS Server V6.0(3885196:0:AUTH_RELAY)
	(envelope-from <cy_huang@richtek.com>)
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256/256); Wed, 08 May 2024 10:51:52 +0800 (CST)
Received: from ex4.rt.l (192.168.10.47) by ex3.rt.l (192.168.10.46) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Wed, 8 May 2024
 10:51:51 +0800
Received: from linuxcarl2.richtek.com (192.168.10.154) by ex4.rt.l
 (192.168.10.45) with Microsoft SMTP Server id 15.2.1544.4 via Frontend
 Transport; Wed, 8 May 2024 10:51:51 +0800
From: <cy_huang@richtek.com>
To: Sakari Ailus <sakari.ailus@linux.intel.com>, Mauro Carvalho Chehab
	<mchehab@kernel.org>
CC: Daniel Scally <djrscally@gmail.com>, Laurent Pinchart
	<laurent.pinchart@ideasonboard.com>, Jean-Michel Hautbois
	<jeanmichel.hautbois@ideasonboard.com>, <linux-media@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>, ChiYuan Huang <cy_huang@richtek.com>
Subject: [PATCH] media: v4l: async: Fix NULL pointer when v4l2 flash subdev binding
Date: Wed, 8 May 2024 10:51:49 +0800
Message-ID: <e2f9f2b7b7de956d70b8567a2ab285409fff988b.1715136478.git.cy_huang@richtek.com>
X-Mailer: git-send-email 1.8.3.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain

From: ChiYuan Huang <cy_huang@richtek.com>

In v4l2_async_create_ancillary_links(), if v4l2 async notifier is
created from v4l2 device, the v4l2 flash subdev async binding will enter
the logic to create media link. Due to the subdev of notifier is NULL,
this will cause NULL pointer to access the subdev entity. Therefore, add
the check to bypass it.

Fixes: aa4faf6eb271 ("media: v4l2-async: Create links during v4l2_async_match_notify()")
Signed-off-by: ChiYuan Huang <cy_huang@richtek.com>
---
Hi,

  I'm trying to bind the v4l2 subdev for flashlight testing. It seems
some logic in v4l2 asynd binding is incorrect.

From the change, I modified vim2m as the test driver to bind mt6370 flashlight.

Here's the backtrace log.

 vim2m soc:vim2m: bound [white:flash-2]
 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058
 ......skipping
 Call trace:
  media_create_ancillary_link+0x48/0xd8 [mc]
  v4l2_async_match_notify+0x17c/0x208 [v4l2_async]
  v4l2_async_register_subdev+0xb8/0x1d0 [v4l2_async]
  __v4l2_flash_init.part.0+0x3b4/0x4b0 [v4l2_flash_led_class]
  v4l2_flash_init+0x28/0x48 [v4l2_flash_led_class]
  mt6370_led_probe+0x348/0x690 [leds_mt6370_flash]

After tracing the code, it will let the subdev labeled as F_LENS or
F_FLASH function to create media link. To prevent the NULL pointer
issue, the simplest way is add a check when 'n->sd' is NULL and bypass
the later media link creataion.
---
 drivers/media/v4l2-core/v4l2-async.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c
index 3ec323bd528b..9d3161c51954 100644
--- a/drivers/media/v4l2-core/v4l2-async.c
+++ b/drivers/media/v4l2-core/v4l2-async.c
@@ -324,6 +324,9 @@ static int v4l2_async_create_ancillary_links(struct v4l2_async_notifier *n,
 	    sd->entity.function != MEDIA_ENT_F_FLASH)
 		return 0;
 
+	if (!n->sd)
+		return 0;
+
 	link = media_create_ancillary_link(&n->sd->entity, &sd->entity);
 
 #endif
-- 
2.34.1