| Message ID | 20200915123914.22807-1-jacopo+renesas@jmondi.org |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] media: i2c: max9286: Fix async subdev size | expand |
Hi Jacopo, On 15/09/2020 13:39, Jacopo Mondi wrote: > Since Does 'Since' really need it's own line ;-) > commit 86d37bf31af6 ("media: i2c: max9286: Allocate v4l2_async_subdev dynamically") > the async subdevice registered to the max9286 notifier is dynamically > allocated by the v4l2 framework by using the > v4l2_async_notifier_add_fwnode_subdev() function. In order to allocate A newline before 'In order to' would be nice to split 'what happened' from 'what is going to happen'. Oh, in fact it doesn't describe what happened though... > enough space for max9286_asd structure that encloses the async subdevice for "the" max9286_asd... > paired with a pointer to the corresponding source, pass to the framework > the size of the whole structure in place of the one of the enclosed async > subdev. That's quite hard to parse though, and I don't think describing the contents of max9286_asd really matters here? How about: Since commit 86d37bf31af6 ("media: i2c: max9286: Allocate v4l2_async_subdev dynamically") the async subdevice registered to the max9286 notifier is dynamically allocated by the v4l2 framework by using the v4l2_async_notifier_add_fwnode_subdev() function, but provides an incorrect size, potentially leading to incorrect memory accesses. Allocate enough space for the driver specific max9286_asd structure (which contains the async subdevice) by passing the size of the correct structure. > Fixes: 86d37bf31af6 ("media: i2c: max9286: Allocate v4l2_async_subdev dynamically") > Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> The code is fine though, so with any commit message updates you deem necessary: Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com> > Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org> > --- > drivers/media/i2c/max9286.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/i2c/max9286.c b/drivers/media/i2c/max9286.c > index c82c1493e099..6852448284ea 100644 > --- a/drivers/media/i2c/max9286.c > +++ b/drivers/media/i2c/max9286.c > @@ -577,10 +577,11 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv) > for_each_source(priv, source) { > unsigned int i = to_index(priv, source); > struct v4l2_async_subdev *asd; > + struct max9286_asd *masd; > > asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier, > source->fwnode, > - sizeof(*asd)); > + sizeof(*masd)); > if (IS_ERR(asd)) { > dev_err(dev, "Failed to add subdev for source %u: %ld", > i, PTR_ERR(asd)); > @@ -588,7 +589,8 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv) > return PTR_ERR(asd); > } > > - to_max9286_asd(asd)->source = source; > + masd = to_max9286_asd(asd); > + masd->source = source; > } > > priv->notifier.ops = &max9286_notify_ops; > -- > 2.28.0 >
Hi Kieran, On Wed, Sep 16, 2020 at 12:00:53PM +0100, Kieran Bingham wrote: > Hi Jacopo, > > On 15/09/2020 13:39, Jacopo Mondi wrote: > > Since > > Does 'Since' really need it's own line ;-) > If you don't want to break the following one (which I understand is better on a single line) yes > > commit 86d37bf31af6 ("media: i2c: max9286: Allocate v4l2_async_subdev dynamically") > > the async subdevice registered to the max9286 notifier is dynamically > > allocated by the v4l2 framework by using the > > v4l2_async_notifier_add_fwnode_subdev() function. In order to allocate > > A newline before 'In order to' would be nice to split 'what happened' > from 'what is going to happen'. Oh, in fact it doesn't describe what > happened though... > > > enough space for max9286_asd structure that encloses the async subdevice > > for "the" max9286_asd... > > > > paired with a pointer to the corresponding source, pass to the framework > > the size of the whole structure in place of the one of the enclosed async > > subdev. > > That's quite hard to parse though, and I don't think describing the > contents of max9286_asd really matters here? > > How about: > > Since commit 86d37bf31af6 ("media: i2c: max9286: Allocate > v4l2_async_subdev dynamically") the async subdevice registered to the > max9286 notifier is dynamically allocated by the v4l2 framework by using > the v4l2_async_notifier_add_fwnode_subdev() function, but provides an > incorrect size, potentially leading to incorrect memory accesses. > > Allocate enough space for the driver specific max9286_asd structure > (which contains the async subdevice) by passing the size of the correct > structure. > > > Fixes: 86d37bf31af6 ("media: i2c: max9286: Allocate v4l2_async_subdev dynamically") > > Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > > The code is fine though, so with any commit message updates you deem > necessary: > > Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com> Ok, better than mine, I'll take it in. Thanks. j > > > Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org> > > --- > > drivers/media/i2c/max9286.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/media/i2c/max9286.c b/drivers/media/i2c/max9286.c > > index c82c1493e099..6852448284ea 100644 > > --- a/drivers/media/i2c/max9286.c > > +++ b/drivers/media/i2c/max9286.c > > @@ -577,10 +577,11 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv) > > for_each_source(priv, source) { > > unsigned int i = to_index(priv, source); > > struct v4l2_async_subdev *asd; > > + struct max9286_asd *masd; > > > > asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier, > > source->fwnode, > > - sizeof(*asd)); > > + sizeof(*masd)); > > if (IS_ERR(asd)) { > > dev_err(dev, "Failed to add subdev for source %u: %ld", > > i, PTR_ERR(asd)); > > @@ -588,7 +589,8 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv) > > return PTR_ERR(asd); > > } > > > > - to_max9286_asd(asd)->source = source; > > + masd = to_max9286_asd(asd); > > + masd->source = source; > > } > > > > priv->notifier.ops = &max9286_notify_ops; > > -- > > 2.28.0 > > >
diff --git a/drivers/media/i2c/max9286.c b/drivers/media/i2c/max9286.c index c82c1493e099..6852448284ea 100644 --- a/drivers/media/i2c/max9286.c +++ b/drivers/media/i2c/max9286.c @@ -577,10 +577,11 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv) for_each_source(priv, source) { unsigned int i = to_index(priv, source); struct v4l2_async_subdev *asd; + struct max9286_asd *masd; asd = v4l2_async_notifier_add_fwnode_subdev(&priv->notifier, source->fwnode, - sizeof(*asd)); + sizeof(*masd)); if (IS_ERR(asd)) { dev_err(dev, "Failed to add subdev for source %u: %ld", i, PTR_ERR(asd)); @@ -588,7 +589,8 @@ static int max9286_v4l2_notifier_register(struct max9286_priv *priv) return PTR_ERR(asd); } - to_max9286_asd(asd)->source = source; + masd = to_max9286_asd(asd); + masd->source = source; } priv->notifier.ops = &max9286_notify_ops;
Since commit 86d37bf31af6 ("media: i2c: max9286: Allocate v4l2_async_subdev dynamically") the async subdevice registered to the max9286 notifier is dynamically allocated by the v4l2 framework by using the v4l2_async_notifier_add_fwnode_subdev() function. In order to allocate enough space for max9286_asd structure that encloses the async subdevice paired with a pointer to the corresponding source, pass to the framework the size of the whole structure in place of the one of the enclosed async subdev. Fixes: 86d37bf31af6 ("media: i2c: max9286: Allocate v4l2_async_subdev dynamically") Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org> --- drivers/media/i2c/max9286.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.28.0