On Wed, Sep 07, 2022 at 03:46:26PM +0300, Tomi Valkeinen wrote:
> Hi Maximilian,
>
> On 07/09/2022 15:33, Maximilian Luz wrote:
> > Commit f69952a4dc1e ("media: subdev: add active state to struct
> > v4l2_subdev") introduced the active_state member to struct v4l2_subdev.
> > This state needs to be allocated via v4l2_subdev_init_finalize(). The
> > intel-ipu3 driver unfortunately does not do that, due to which,
>
> That is fine, a driver only needs to allocate the active state if it uses
> the active state.
>
> > active_state is NULL and we run into an oops (NULL pointer dereference)
> > when that state is accessed.
> >
> > In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381
> > ("media: subdev: pass also the active state to subdevs from ioctls")
> > passes that state on to the subdev IOCTLs. An example scenario where
> > this happens is running libcamera's qcam or cam on a device with IPU3,
> > for example the Microsoft Surface Book 2. In this case, the oops is
> > reproducibly in v4l2_subdev_get_try_crop(), called via
> > imgu_subdev_set_selection().
> >
> > To fix this, allocate the active_state member via
> > v4l2_subdev_init_finalize().
>
> This is not a correct fix. Sakari has sent (and maybe pushed?) this:
>
> https://lore.kernel.org/all/20220825190351.3241444-1-sakari.ailus@xxxxxxxxxxxxxxx/
This being said, it would be nice to convert drivers to use the active
state, but that's not related to fixing this issue.
> > Link: https://github.com/linux-surface/linux-surface/issues/907
> > Fixes: 3cc7a4bbc381 ("media: subdev: pass also the active state to subdevs from ioctls")
> > Signed-off-by: Maximilian Luz <luzmaximilian@xxxxxxxxx>
> > ---
> > drivers/staging/media/ipu3/ipu3-v4l2.c | 12 +++++++++++-
> > 1 file changed, 11 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
> > index d1c539cefba8..84ab98ba9a2e 100644
> > --- a/drivers/staging/media/ipu3/ipu3-v4l2.c
> > +++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
> > @@ -1093,10 +1093,18 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
> > "failed to create subdev v4l2 ctrl with err %d", r);
> > goto fail_subdev;
> > }
> > +
> > + r = v4l2_subdev_init_finalize(&imgu_sd->subdev);
> > + if (r) {
> > + dev_err(&imgu->pci_dev->dev,
> > + "failed to initialize subdev (%d)\n", r);
> > + goto fail_subdev;
> > + }
> > +
> > r = v4l2_device_register_subdev(&imgu->v4l2_dev, &imgu_sd->subdev);
> > if (r) {
> > dev_err(&imgu->pci_dev->dev,
> > - "failed initialize subdev (%d)\n", r);
> > + "failed to register subdev (%d)\n", r);
> > goto fail_subdev;
> > }
> >
> > @@ -1104,6 +1112,7 @@ static int imgu_v4l2_subdev_register(struct imgu_device *imgu,
> > return 0;
> >
> > fail_subdev:
> > + v4l2_subdev_cleanup(&imgu_sd->subdev);
> > v4l2_ctrl_handler_free(imgu_sd->subdev.ctrl_handler);
> > media_entity_cleanup(&imgu_sd->subdev.entity);
> >
> > @@ -1275,6 +1284,7 @@ static void imgu_v4l2_subdev_cleanup(struct imgu_device *imgu, unsigned int i)
> > struct imgu_media_pipe *imgu_pipe = &imgu->imgu_pipe[i];
> >
> > v4l2_device_unregister_subdev(&imgu_pipe->imgu_sd.subdev);
> > + v4l2_subdev_cleanup(&imgu_pipe->imgu_sd.subdev);
> > v4l2_ctrl_handler_free(imgu_pipe->imgu_sd.subdev.ctrl_handler);
> > media_entity_cleanup(&imgu_pipe->imgu_sd.subdev.entity);
> > }
>
--
Regards,
Laurent Pinchart
