Since commit 86d37bf31af6 ("media: i2c: max9286: Allocate
v4l2_async_subdev dynamically") the async subdevice registered to the
max9286 notifier is dynamically allocated by the v4l2 framework by using
the v4l2_async_notifier_add_fwnode_subdev() function, but provides an
incorrect size, potentially leading to incorrect memory accesses.
Allocate enough space for the driver specific max9286_asd structure
(which contains the async subdevice) by passing the size of the correct
structure.
Fixes: 86d37bf31af6 ("media: i2c: max9286: Allocate v4l2_async_subdev dynamically")
Reviewed-by: Kieran Bingham <kieran.bingham+renesas@xxxxxxxxxxxxxxxx>
Reviewed-by: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
Signed-off-by: Jacopo Mondi <jacopo+renesas@xxxxxxxxxx>
---
v2->v3:
- Reword commit message as suggested by Kieran.
---
drivers/media/i2c/max9286.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/max9286.c b/drivers/media/i2c/max9286.c
index c82c1493e099..6852448284ea 100644
--- a/drivers/media/i2c/max9286.c
+++ b/drivers/media/i2c/max9286.c
@@ -577,10 +577,11 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv)
for_each_source(priv, source) {
unsigned int i = to_index(priv, source);
struct v4l2_async_subdev *asd;
+ struct max9286_asd *masd;
asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier,
source->fwnode,
- sizeof(*asd));
+ sizeof(*masd));
if (IS_ERR(asd)) {
dev_err(dev, "Failed to add subdev for source %u: %ld",
i, PTR_ERR(asd));
@@ -588,7 +589,8 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv)
return PTR_ERR(asd);
}
- to_max9286_asd(asd)->source = source;
+ masd = to_max9286_asd(asd);
+ masd->source = source;
}
priv->notifier.ops = &max9286_notify_ops;
--
2.28.0
