iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a9c80593ff
linux/drivers/media/platform
History
Dmitriy Ulitin 548fa43a58 media: stm32: Potential NULL pointer dereference in dcmi_irq_thread() 
At the moment of enabling irq handling:

1922 ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback,
1923			dcmi_irq_thread, IRQF_ONESHOT,
1924			dev_name(&pdev->dev), dcmi);

there is still uninitialized field sd_format of struct stm32_dcmi *dcmi.
If an interrupt occurs in the interval between the installation of the
interrupt handler and the initialization of this field, NULL pointer
dereference happens.

This field is dereferenced in the handler function without any check:

457 if (dcmi->sd_format->fourcc == V4L2_PIX_FMT_JPEG &&
458	    dcmi->misr & IT_FRAME) {

The patch moves interrupt handler installation
after initialization of the sd_format field that happens in
dcmi_graph_notify_complete() via dcmi_set_default_fmt().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Dmitriy Ulitin <ulitin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
2021-09-30 10:07:44 +02:00
..
allegro-dvt media: allegro-dvt: avoid EN DASH char 2021-06-04 08:10:07 +02:00
am437x media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
atmel media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
cadence media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
coda media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats 2021-07-22 14:01:55 +02:00
davinci media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
exynos4-is media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
exynos-gsc media: exynos-gsc: fix pm_runtime_get_sync() usage count 2021-05-10 11:36:34 +02:00
imx-jpeg media: imx-jpeg: Constify static struct mxc_jpeg_fmt 2021-06-17 10:24:09 +02:00
marvell-ccic media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
meson/ge2d media: meson-ge2d: Fix rotation parameter changes detection in 'ge2d_s_ctrl()' 2021-09-30 10:07:39 +02:00
mtk-jpeg media: mtk-jpeg: use pm_runtime_resume_and_get() 2021-05-19 09:51:42 +02:00
mtk-mdp media: mdk-mdp: fix pm_runtime_get_sync() usage count 2021-05-10 11:36:33 +02:00
mtk-vcodec media: mtk-vcodec: fix warnings: symbol XXX was not declared 2021-09-30 10:07:42 +02:00
mtk-vpu media: mtk-vpu: on suspend, read/write regs only if vpu is running 2021-06-28 15:17:42 +02:00
omap media: videobuf2: Move frame_vector into media subsystem 2021-01-12 14:15:31 +01:00
omap3isp media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
qcom media: camss: vfe: Rework vfe_hw_version_read() function definition 2021-09-30 10:07:37 +02:00
rcar-vin media: rcar-vin: Remove explicit device availability check 2021-09-30 10:07:35 +02:00
rockchip media: rockchip: rkisp1: add support for px30 isp version 2021-09-30 10:07:37 +02:00
s3c-camif media: v4l2-subdev: add subdev-wide state struct 2021-06-17 10:01:27 +02:00
s5p-g2d media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx 2021-06-17 10:21:51 +02:00
s5p-jpeg media: s5p-jpeg: fix pm_runtime_get_sync() usage count 2021-05-10 11:36:34 +02:00
s5p-mfc media: drivers/media/platform/s5p-mfc/s5p_mfc_opr_v5.c : fix typo 'in deed imporant' > 'indeed important' 2021-07-12 09:16:36 +02:00
sti media: c8sectpfe-dvb: Remove unused including <linux/version.h> 2021-09-30 10:07:43 +02:00
stm32 media: stm32: Potential NULL pointer dereference in dcmi_irq_thread() 2021-09-30 10:07:44 +02:00
sunxi media: Rename V4L2_PIX_FMT_HM12 to V4L2_PIX_FMT_NV12_16L16 2021-09-30 10:07:39 +02:00
ti-vpe media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
vsp1 media: v4l2-subdev: fix some NULL vs IS_ERR() checks 2021-07-22 14:01:54 +02:00
xilinx media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
aspeed-video.c media: aspeed: fix clock handling logic 2021-03-11 11:59:45 +01:00
fsl-viu.c media: use getter/setter functions 2021-03-11 11:59:42 +01:00
imx-pxp.c media: imx-pxp: remove redundant dev_err call in pxp_probe() 2021-04-06 16:09:00 +02:00
imx-pxp.h
Kconfig media: mtk-vcodec: vdec: add media device if using stateless api 2021-09-30 10:07:42 +02:00
m2m-deinterlace.c media: media/platform: rename VFL_TYPE_GRABBER to _VIDEO 2020-02-24 16:54:14 +01:00
Makefile media: atmel: atmel-isc: add microchip-xisc driver 2021-06-08 15:46:31 +02:00
mx2_emmaprp.c media: mx2_emmaprp: Fix memleak in emmaprp_probe 2020-09-26 10:15:39 +02:00
pxa_camera.c media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
rcar_drif.c media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
rcar_fdp1.c media: rcar_fdp1: fix pm_runtime_get_sync() usage count 2021-05-10 11:36:33 +02:00
rcar_jpu.c media: drivers/media/platform/Rcar_jpu.c : fix typo issues 2021-06-02 14:06:51 +02:00
rcar-fcp.c media: rcar-fcp: use pm_runtime_resume_and_get() 2021-05-20 16:02:36 +02:00
renesas-ceu.c media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00
sh_vou.c media: sh_vou: fix pm_runtime_get_sync() usage count 2021-05-10 11:36:34 +02:00
via-camera.c media: v4l2-subdev: add subdev-wide state struct 2021-06-17 10:01:27 +02:00
via-camera.h
video-mux.c media: v4l: async: Rename async nf functions, clean up long lines 2021-09-30 10:07:35 +02:00