tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()

vfe_isr() iterates using MSM_VFE_IMAGE_MASTERS_NUM(7) as the loop
bound and passes the index to vfe_isr_reg_update(). However,
vfe->line[] array is defined with VFE_LINE_NUM_MAX(4):

struct vfe_line line[VFE_LINE_NUM_MAX];

When index is 4, 5, 6, the access to vfe->line[line_id] exceeds
the array bounds and resulting in out-of-bounds memory access.

Fix this by using separate loops for output lines and write masters.

Fixes: 4edc8eae715c ("media: camss: Add initial support for VFE hardware version Titan 480")
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>

authored by

Alper Ak and committed by
Hans Verkuil d965919a 0b61ce8d

+4 -2
+4 -2
drivers/media/platform/qcom/camss/camss-vfe-480.c
··· 202 202 writel_relaxed(status, vfe->base + VFE_BUS_IRQ_CLEAR(0)); 203 203 writel_relaxed(1, vfe->base + VFE_BUS_IRQ_CLEAR_GLOBAL); 204 204 205 - /* Loop through all WMs IRQs */ 206 - for (i = 0; i < MSM_VFE_IMAGE_MASTERS_NUM; i++) { 205 + for (i = 0; i < MAX_VFE_OUTPUT_LINES; i++) { 207 206 if (status & BUS_IRQ_MASK_0_RDI_RUP(vfe, i)) 208 207 vfe_isr_reg_update(vfe, i); 208 + } 209 209 210 + /* Loop through all WMs IRQs */ 211 + for (i = 0; i < MSM_VFE_IMAGE_MASTERS_NUM; i++) { 210 212 if (status & BUS_IRQ_MASK_0_COMP_DONE(vfe, RDI_COMP_GROUP(i))) 211 213 vfe_buf_done(vfe, i); 212 214 }