6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChiYuan Huang <cy_huang@xxxxxxxxxxx>
[ Upstream commit 9b4667ea67854f0b116fe22ad11ef5628c5b5b5f ]
In v4l2_async_create_ancillary_links(), ancillary links are created for
lens and flash sub-devices. These are sub-device to sub-device links and
if the async notifier is related to a V4L2 device, the source sub-device
of the ancillary link is NULL, leading to a NULL pointer dereference.
Check the notifier's sd field is non-NULL in
v4l2_async_create_ancillary_links().
Fixes: aa4faf6eb271 ("media: v4l2-async: Create links during v4l2_async_match_notify()")
Signed-off-by: ChiYuan Huang <cy_huang@xxxxxxxxxxx>
[Sakari Ailus: Reword the subject and commit messages slightly.]
Signed-off-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/media/v4l2-core/v4l2-async.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/v4l2-core/v4l2-async.c b/drivers/media/v4l2-core/v4l2-async.c
index eaa15b8df76df..ac4d987bba255 100644
--- a/drivers/media/v4l2-core/v4l2-async.c
+++ b/drivers/media/v4l2-core/v4l2-async.c
@@ -324,6 +324,9 @@ static int v4l2_async_create_ancillary_links(struct v4l2_async_notifier *n,
sd->entity.function != MEDIA_ENT_F_FLASH)
return 0;
+ if (!n->sd)
+ return 0;
+
link = media_create_ancillary_link(&n->sd->entity, &sd->entity);
#endif
--
2.43.0
