From nobody Wed Jun 17 02:58:38 2026
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E30FF1F3D56
	for <linux-kernel@vger.kernel.org>; Wed, 22 Apr 2026 06:20:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776838809; cv=none;
 b=obIkUSpVfLMlGYULcX3zl1ZUkN16RkUUC/nR+Mh9XHqkkkcZaOp4p09OVv5aWYdosfDg+u8hW2/vTJXxiBGpmMJnGeKnrBrtDE4fBfHj3QzvR6qXuJdhJFdaBSplT71XmnnW7y5UqUYEEamLSrIk4hw9tc+QLVavjYqIxUYjIUs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776838809; c=relaxed/simple;
	bh=62ziIt/IPA7GFwdkYJHiXxDdUjlAJ8QH7KWSz0/iBGY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=s98dkUb1rpW6QjOk6JZdgzNXdYy0XDR1q3yrD3sMUnLoRM5MhVw9S4/aVWpCLnAmqSMhpb3mmXYcO7n/k8shx6guWq1pjOMHpkxGHqzsjmMvZKhQ09JaV5piDkqN+WFdC4vKUW7w8iNn1Xc6OCdcCcipHjjt4j+1hN52mEVFOik=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=q6/8FAa5; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="q6/8FAa5"
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-2aaf43014d0so31120865ad.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 21 Apr 2026 23:20:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776838807; x=1777443607;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=D9ExnrylaUifhraiDuvmiibs6vGtay8V+DWLv2OsyZs=;
        b=q6/8FAa5jDd90+QgYDPwqG7IVD2P9nwqzZogGRUKFaTAHYSFGkXXajwWAdcTpodhEV
         2KznVRnQ0zNmDr8n1FvPvlY6I1Zv1A8FiCt/Fy89i80hNyzVamuBojODXEfMt5fXUMLe
         Vf24ZJHFqmY7UxjzW53sD7b41Igbu7kjvclfs+G1aH8zU8YU36RfN3JYLVaHlHOmx9Qp
         F0zlwYHpANy8yM2+jt6+a0OpGw/tWVJE7xjFRhstfTr6VTAGRijUTjZWJZW45TQEXlY/
         IMEU8ETLv9shmdotK5Ml0j0tx7sZPNrtOnAK4LvqaF8SltGAFIa7NEugoUhPdYwg1cmu
         bl1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776838807; x=1777443607;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=D9ExnrylaUifhraiDuvmiibs6vGtay8V+DWLv2OsyZs=;
        b=CFUoJgiWhU9eVjflvK2PLgKM65wSPPlFcfbl02lFrao7Ubi6pcVnmKkEzEPaSJHUJH
         AXuwkCKLtlhvU0JFKA2x1UF4fP7n0mO/gVJ0YpVtqbZ5o7xIgveeNvCThtbcT/fMbIkO
         5WhlVpq1A96zSJL3A6KJBEqqVfjsLSoPWg5kanqJBfGyUi3TtaQtgiAqH+kAD9CsTHZy
         hWeP4Mk/tCz58U336C6cGOw2lW1cgE0sOOgTPRtwyGMnn8mW+l6qqIRClxUzWVQ4HuME
         EX+qyBc/LYjQne4ekgigO9OS1pMuSEbOLCXW4NNodsGx1YD1/gQvALSwkaYnNRf8qxg0
         ngUA==
X-Forwarded-Encrypted: i=1;
 AFNElJ+ST2ptncGnaxQiFa8U6+erjGAbk17R8yxTjLiaInp8c0bGujrm1+5P7RjG3U5vMht0schodeXHh+NPtOA=@vger.kernel.org
X-Gm-Message-State: AOJu0YxevSEbVqgEeKUkyw5CQlI20at8gNAPQlhRrD2ljie7GNa2lUOx
	Pc5aDvgPrrSakpsG5SGrRR+JEwXLFeMxDUy+qa11ZLRKkClY3IpmAczX
X-Gm-Gg: AeBDietzd2YXu0u1vLZNRng/75Ymimr5zt2CANWrJUJbYGHUygWgxoAh3hBMXghiyfr
	+3EI4aG6M+3/mUwMxJLGSpsx1pwpWsG6FkyjdeR3tEHNxcKiJlNUqzVyraY+gVc/tIeIFiWIWvP
	Y6hjUz28ia+bCiXmBT13b0oF8ZpRVbDScLMQyr2zwM3mPNfPt68aAHXXwASqVHcASbKGNahbcKr
	Q4jYHXVb9NhOF0KU9eOmGZ6yuITexuSUPEGT0OQJHJAT750amvIObOhDLf8OZdecI2TvdIYh42E
	Ali1l6Dw0TzD9hn/fPMDs1O9lNNmbxYhcpawXb+eX7PPEq8/nd/6SrnBd+i9lwb4Mhh3+XyvyE2
	dHmo+ThadSv1kbaFMZ3jnPykB7mu0SNNuxhrjBiX1nbnhUHBVt99p+WtXm2Pq19ou96mf44w9Nt
	9EsMrknF/GT23qKtB90sLS0Xoll9a9n3X9h776QMxvS81f6FGL2n/hZrRoCQNzb+BPPqvB+9L1W
	QNBd83hoNH3mtjfwfWjx2O/0zthR+CX3Fh5uN4IaLRmhcufcEm3mnIJ8dh4Bz1UOC0nqmn/
X-Received: by 2002:a17:903:1d2:b0:2b2:41a9:8e10 with SMTP id
 d9443c01a7336-2b5f9f4e110mr230390895ad.23.1776838807124;
        Tue, 21 Apr 2026 23:20:07 -0700 (PDT)
Received: from HPVictus15 ([2401:4900:1cb1:c66e:4923:54b9:776d:c8c7])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b5fab0cf81sm150926775ad.43.2026.04.21.23.20.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 Apr 2026 23:20:06 -0700 (PDT)
From: Sajja Easwar Sai <eshwarsajja20@gmail.com>
To: sakari.ailus@linux.intel.com
Cc: bingbu.cao@intel.com,
	tian.shu.qiu@intel.com,
	mchehab@kernel.org,
	gregkh@linuxfoundation.org,
	yong.zhi@intel.com,
	tfiga@chromium.org,
	linux-media@vger.kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	iryuken@duck.com,
	Sajja Easwar Sai <eshwarsajja20@gmail.com>
Subject: [PATCH] staging: media: ipu3: fix out-of-bounds access in
 imgu_map_node()
Date: Wed, 22 Apr 2026 11:49:51 +0530
Message-ID: <20260422061951.352746-1-eshwarsajja20@gmail.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

imgu_map_node() walks imgu_node_map[] looking for a CSS queue ID. When
no match is found the loop exits with i =3D=3D IMGU_NODE_NUM, which is one
past the end of every array that is indexed by node id.  The value is
returned without any bounds check, so callers that use it immediately
as an array subscript produce out-of-bounds reads.

The most critical caller is the threaded IRQ handler
imgu_isr_threaded(), where b->queue comes directly from firmware; a
malformed or buggy firmware return could therefore trigger a kernel
oops.

Harden the code in three steps:
 1. Add a WARN_ON() inside imgu_map_node() so the 'not-found' sentinel
    is made explicit and any future regression surfaces immediately.
 2. Guard imgu_isr_threaded(): skip the affected buffer and emit a
    dev_err() rather than indexing imgu_node_map[] out of bounds.
 3. Guard imgu_dummybufs_init(): continue the loop if the lookup fails
    (this cannot happen today, but protects against future queue-table
    changes).

Fixes: 7fc7af649ca7 ("media: staging/intel-ipu3: Add imgu top level pci dev=
ice driver")
Signed-off-by: Sajja Easwar Sai <eshwarsajja20@gmail.com>
---
diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3=
/ipu3.c
index 84c4d0bf027d..b231e7246f52 100644
--- a/drivers/staging/media/ipu3/ipu3.c
+++ b/drivers/staging/media/ipu3/ipu3.c
@@ -62,6 +62,12 @@ unsigned int imgu_map_node(struct imgu_device *imgu, uns=
igned int css_queue)
 		if (imgu_node_map[i].css_queue =3D=3D css_queue)
 			break;
=20
+	/*
+	 * If no entry matched, i =3D=3D IMGU_NODE_NUM which is one past the end
+	 * of every array indexed by node id.  Callers must check for this
+	 * sentinel before using the returned value as an array index.
+	 */
+	WARN_ON(i >=3D IMGU_NODE_NUM);
 	return i;
 }
=20
@@ -115,6 +121,8 @@ static int imgu_dummybufs_init(struct imgu_device *imgu=
, unsigned int pipe)
 	/* Allocate a dummy buffer for each queue where buffer is optional */
 	for (i =3D 0; i < IPU3_CSS_QUEUES; i++) {
 		node =3D imgu_map_node(imgu, i);
+		if (node >=3D IMGU_NODE_NUM)
+			continue;
 		if (!imgu_pipe->queue_enabled[node] || i =3D=3D IMGU_QUEUE_MASTER)
 			continue;
=20
@@ -535,6 +543,12 @@ static irqreturn_t imgu_isr_threaded(int irq, void *im=
gu_ptr)
 		}
=20
 		node =3D imgu_map_node(imgu, b->queue);
+		if (node >=3D IMGU_NODE_NUM) {
+			dev_err(&imgu->pci_dev->dev,
+				"dequeued buffer with unknown css queue %u, skipping\n",
+				b->queue);
+			continue;
+		}
 		pipe =3D b->pipe;
 		dummy =3D imgu_dummybufs_check(imgu, b, pipe);
 		if (!dummy)