From nobody Mon May 11 04:52:38 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B72A2C433EF for ; Thu, 14 Apr 2022 04:14:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239810AbiDNEQv (ORCPT ); Thu, 14 Apr 2022 00:16:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37180 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229485AbiDNEQq (ORCPT ); Thu, 14 Apr 2022 00:16:46 -0400 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 187922BE6; Wed, 13 Apr 2022 21:14:23 -0700 (PDT) Received: by mail-pl1-x62f.google.com with SMTP id t12so3684316pll.7; Wed, 13 Apr 2022 21:14:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id; bh=7xvsh8FIV4X8qjBnU3ZR0V0Ttcm32tPDVRGj1HnLnug=; b=E89ALyx87bCQ8IpKubE9AeNsXRZ411XlezFM4W5fiDZKVZ4w4pykmFUkDGWacK2hbJ Xq0fQp3dXMp0yoiQBlxPqfRkzaxLQeV+Ihw4ElMBlvyw3jQgivk9935i9kBYZTjOQx8q 6+5w5iQBPoQkMKgU7ym3cLgcE/dASwNCo1E0wZKlztx7qDR6LQLkRngej9VkreaJKqCJ wyI6DB5wcr7KI9G2LRrfuO9ATQ8ST6dp8en/cNZJ9oYnWcAjNgKBtPLZOi6mph8b/srs EDqr9G0FYqshl/eoYPD3IeVqZiC15Iy3GIROwmIakH0E4qnyWYfDz4Q47p9YfLxGmwmc pa1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=7xvsh8FIV4X8qjBnU3ZR0V0Ttcm32tPDVRGj1HnLnug=; b=X9rwOOi8U8XuaFWEZ5Tf8f/qAMpZluEBNQV8qxP3aLEZSkwUblX222+i7PMQOm7WC2 GEK1uPmxFI9FKGgq7U6iZE5i1R21U2bHREnw/fhlX3r1Q+kULqmxiEma49OTGf3kXVax I7DVQR+LknR7hTOxD07uMuZzR2ydJOfJZMto+0v7KywC+JA25Vi9XAfsnZxvJMhZKOSk NvSbUnCqUK69zqwbiCKbKIoifCDRrgYHw545YNVmzMZhUvaDrXbeMhAQLahN9aohQGDd ftWIbBuFousY/GXDy/J+UflIqs2lCqsf8Z6kzj3CXOpYpJLavxZ7vkC8rexP5pzoTwgl s9iQ== X-Gm-Message-State: AOAM531CJHWBeukjK+qrwq9KiAPej+9NkZerxoBjhgcc8A+2qmzjR/7t 0ZfeD1r++oX5ZRPMNfL8njw= X-Google-Smtp-Source: ABdhPJz9lB+Xbap0e7ZK9fszXctV0rAupUZ11RrUE/bqj22npChrIdnC8J5gS1Z9Gvxkg4ljoreZjg== X-Received: by 2002:a17:90a:4e04:b0:1cb:a26f:70c2 with SMTP id n4-20020a17090a4e0400b001cba26f70c2mr1652843pjh.130.1649909662581; Wed, 13 Apr 2022 21:14:22 -0700 (PDT) Received: from localhost.localdomain ([119.3.119.18]) by smtp.googlemail.com with ESMTPSA id y13-20020a17090a154d00b001cb5f0b55cfsm562729pja.1.2022.04.13.21.14.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Apr 2022 21:14:22 -0700 (PDT) From: Xiaomeng Tong To: mchehab@kernel.org, sakari.ailus@linux.intel.com, gregkh@linuxfoundation.org, hverkuil-cisco@xs4all.nl, kitakar@gmail.com, alinesantanacordeiro@gmail.com, laurent.pinchart@ideasonboard.com, tomi.valkeinen@ideasonboard.com Cc: linux-media@vger.kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Xiaomeng Tong , stable@vger.kernel.org Subject: [RESEND][PATCH] pci: atomisp_cmd: fix three missing checks on list iterator Date: Thu, 14 Apr 2022 12:14:15 +0800 Message-Id: <20220414041415.3342-1-xiam0nd.tong@gmail.com> X-Mailer: git-send-email 2.17.1 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The three bugs are here: __func__, s3a_buf->s3a_data->exp_id); __func__, md_buf->metadata->exp_id); __func__, dis_buf->dis_data->exp_id); The list iterator 's3a_buf/md_buf/dis_buf' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it will lead to a invalid memory access. To fix this bug, add an check. Use a new variable '*_iter' as the list iterator, while use the old variable '*_buf' as a dedicated pointer to point to the found element. Cc: stable@vger.kernel.org Fixes: ad85094b293e4 ("Revert "media: staging: atomisp: Remove driver"") Signed-off-by: Xiaomeng Tong --- .../staging/media/atomisp/pci/atomisp_cmd.c | 57 ++++++++++++------- 1 file changed, 36 insertions(+), 21 deletions(-) diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/stag= ing/media/atomisp/pci/atomisp_cmd.c index 97d5a528969b..0da0b69a4637 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c +++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c @@ -901,9 +901,9 @@ void atomisp_buf_done(struct atomisp_sub_device *asd, i= nt error, int err; unsigned long irqflags; struct ia_css_frame *frame =3D NULL; - struct atomisp_s3a_buf *s3a_buf =3D NULL, *_s3a_buf_tmp; - struct atomisp_dis_buf *dis_buf =3D NULL, *_dis_buf_tmp; - struct atomisp_metadata_buf *md_buf =3D NULL, *_md_buf_tmp; + struct atomisp_s3a_buf *s3a_buf =3D NULL, *_s3a_buf_tmp, *s3a_iter; + struct atomisp_dis_buf *dis_buf =3D NULL, *_dis_buf_tmp, *dis_iter; + struct atomisp_metadata_buf *md_buf =3D NULL, *_md_buf_tmp, *md_iter; enum atomisp_metadata_type md_type; struct atomisp_device *isp =3D asd->isp; struct v4l2_control ctrl; @@ -942,60 +942,75 @@ void atomisp_buf_done(struct atomisp_sub_device *asd,= int error, =20 switch (buf_type) { case IA_CSS_BUFFER_TYPE_3A_STATISTICS: - list_for_each_entry_safe(s3a_buf, _s3a_buf_tmp, + list_for_each_entry_safe(s3a_iter, _s3a_buf_tmp, &asd->s3a_stats_in_css, list) { - if (s3a_buf->s3a_data =3D=3D + if (s3a_iter->s3a_data =3D=3D buffer.css_buffer.data.stats_3a) { - list_del_init(&s3a_buf->list); - list_add_tail(&s3a_buf->list, + list_del_init(&s3a_iter->list); + list_add_tail(&s3a_iter->list, &asd->s3a_stats_ready); + s3a_buf =3D s3a_iter; break; } } =20 asd->s3a_bufs_in_css[css_pipe_id]--; atomisp_3a_stats_ready_event(asd, buffer.css_buffer.exp_id); - dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n", - __func__, s3a_buf->s3a_data->exp_id); + if (s3a_buf) + dev_dbg(isp->dev, "%s: s3a stat with exp_id %d is ready\n", + __func__, s3a_buf->s3a_data->exp_id); + else + dev_dbg(isp->dev, "%s: s3a stat is ready with no exp_id found\n", + __func__); break; case IA_CSS_BUFFER_TYPE_METADATA: if (error) break; =20 md_type =3D atomisp_get_metadata_type(asd, css_pipe_id); - list_for_each_entry_safe(md_buf, _md_buf_tmp, + list_for_each_entry_safe(md_iter, _md_buf_tmp, &asd->metadata_in_css[md_type], list) { - if (md_buf->metadata =3D=3D + if (md_iter->metadata =3D=3D buffer.css_buffer.data.metadata) { - list_del_init(&md_buf->list); - list_add_tail(&md_buf->list, + list_del_init(&md_iter->list); + list_add_tail(&md_iter->list, &asd->metadata_ready[md_type]); + md_buf =3D md_iter; break; } } asd->metadata_bufs_in_css[stream_id][css_pipe_id]--; atomisp_metadata_ready_event(asd, md_type); - dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n", - __func__, md_buf->metadata->exp_id); + if (md_buf) + dev_dbg(isp->dev, "%s: metadata with exp_id %d is ready\n", + __func__, md_buf->metadata->exp_id); + else + dev_dbg(isp->dev, "%s: metadata is ready with no exp_id found\n", + __func__); break; case IA_CSS_BUFFER_TYPE_DIS_STATISTICS: - list_for_each_entry_safe(dis_buf, _dis_buf_tmp, + list_for_each_entry_safe(dis_iter, _dis_buf_tmp, &asd->dis_stats_in_css, list) { - if (dis_buf->dis_data =3D=3D + if (dis_iter->dis_data =3D=3D buffer.css_buffer.data.stats_dvs) { spin_lock_irqsave(&asd->dis_stats_lock, irqflags); - list_del_init(&dis_buf->list); - list_add(&dis_buf->list, &asd->dis_stats); + list_del_init(&dis_iter->list); + list_add(&dis_iter->list, &asd->dis_stats); asd->params.dis_proj_data_valid =3D true; spin_unlock_irqrestore(&asd->dis_stats_lock, irqflags); + dis_buf =3D dis_iter; break; } } asd->dis_bufs_in_css--; - dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n", - __func__, dis_buf->dis_data->exp_id); + if (dis_buf) + dev_dbg(isp->dev, "%s: dis stat with exp_id %d is ready\n", + __func__, dis_buf->dis_data->exp_id); + else + dev_dbg(isp->dev, "%s: dis stat is ready with no exp_id found\n", + __func__); break; case IA_CSS_BUFFER_TYPE_VF_OUTPUT_FRAME: case IA_CSS_BUFFER_TYPE_SEC_VF_OUTPUT_FRAME: --=20 2.17.1