Commit 512f0b7e authored by Jacopo Mondi's avatar Jacopo Mondi Committed by Hans Verkuil
Browse files

media: cx18: Fix invalid access to file * 



Sice commit 7b9eb53e ("media: cx18: Access v4l2_fh from file")
all ioctl handlers have been ported to operate on the file * first
function argument.

The cx18 DVB layer calls cx18_init_on_first_open() when the driver needs
to start streaming. This function calls the s_input(), s_std() and
s_frequency() ioctl handlers directly, but being called from the driver
context, it doesn't have a valid file * to pass them. This causes
the ioctl handlers to deference an invalid pointer.

Fix this by moving the implementation of those ioctls to functions that
take a cx18 pointer instead of a file pointer, and turn the V4L2 ioctl
handlers into wrappers that get the cx18 from the file. When calling
from cx18_init_on_first_open(), pass the cx18 pointer directly. This
allows removing the fake fh in cx18_init_on_first_open().

The bug has been reported by Smatch:

--> 1223         cx18_s_input(NULL, &fh, video_input);
The patch adds a new dereference of "file" but some of the callers pass a
NULL pointer.

Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/all/aKL4OMWsESUdX8KQ@stanley.mountain/


Fixes: 7b9eb53e ("media: cx18: Access v4l2_fh from file")
Cc: stable@vger.kernel.org
Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Tested-by: default avatarHans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: default avatarJacopo Mondi <jacopo.mondi@ideasonboard.com>
Signed-off-by: default avatarHans Verkuil <hverkuil+cisco@kernel.org>
parent 3a866087

drivers/media/pci/cx18/cx18-driver.c

+3 −6
Original line number Diff line number Diff line
@@ -1136,11 +1136,8 @@ int cx18_init_on_first_open(struct cx18 *cx) 
	int video_input;

	int fw_retry_count = 3;

	struct v4l2_frequency vf;

	struct cx18_open_id fh;

	v4l2_std_id std;



	fh.cx = cx;



	if (test_bit(CX18_F_I_FAILED, &cx->i_flags))

		return -ENXIO;
@@ -1220,14 +1217,14 @@ int cx18_init_on_first_open(struct cx18 *cx) 


	video_input = cx->active_input;

	cx->active_input++;	/* Force update of input */

	cx18_s_input(NULL, &fh, video_input);

	cx18_do_s_input(cx, video_input);



	/* Let the VIDIOC_S_STD ioctl do all the work, keeps the code

	   in one place. */

	cx->std++;		/* Force full standard initialization */

	std = (cx->tuner_std == V4L2_STD_ALL) ? V4L2_STD_NTSC_M : cx->tuner_std;

	cx18_s_std(NULL, &fh, std);

	cx18_s_frequency(NULL, &fh, &vf);

	cx18_do_s_std(cx, std);

	cx18_do_s_frequency(cx, &vf);

	return 0;

}

drivers/media/pci/cx18/cx18-ioctl.c

+19 −11
Original line number Diff line number Diff line
@@ -521,10 +521,8 @@ static int cx18_g_input(struct file *file, void *fh, unsigned int *i) 
	return 0;

}



int cx18_s_input(struct file *file, void *fh, unsigned int inp)

int cx18_do_s_input(struct cx18 *cx, unsigned int inp)

{

	struct cx18_open_id *id = file2id(file);

	struct cx18 *cx = id->cx;

	v4l2_std_id std = V4L2_STD_ALL;

	const struct cx18_card_video_input *card_input =

				cx->card->video_inputs + inp;
@@ -558,6 +556,11 @@ int cx18_s_input(struct file *file, void *fh, unsigned int inp) 
	return 0;

}



static int cx18_s_input(struct file *file, void *fh, unsigned int inp)

{

	return cx18_do_s_input(file2id(file)->cx, inp);

}



static int cx18_g_frequency(struct file *file, void *fh,

				struct v4l2_frequency *vf)

{
@@ -570,11 +573,8 @@ static int cx18_g_frequency(struct file *file, void *fh, 
	return 0;

}



int cx18_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *vf)

int cx18_do_s_frequency(struct cx18 *cx, const struct v4l2_frequency *vf)

{

	struct cx18_open_id *id = file2id(file);

	struct cx18 *cx = id->cx;



	if (vf->tuner != 0)

		return -EINVAL;
@@ -585,6 +585,12 @@ int cx18_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *v 
	return 0;

}



static int cx18_s_frequency(struct file *file, void *fh,

			    const struct v4l2_frequency *vf)

{

	return cx18_do_s_frequency(file2id(file)->cx, vf);

}



static int cx18_g_std(struct file *file, void *fh, v4l2_std_id *std)

{

	struct cx18 *cx = file2id(file)->cx;
@@ -593,11 +599,8 @@ static int cx18_g_std(struct file *file, void *fh, v4l2_std_id *std) 
	return 0;

}



int cx18_s_std(struct file *file, void *fh, v4l2_std_id std)

int cx18_do_s_std(struct cx18 *cx, v4l2_std_id std)

{

	struct cx18_open_id *id = file2id(file);

	struct cx18 *cx = id->cx;



	if ((std & V4L2_STD_ALL) == 0)

		return -EINVAL;
@@ -642,6 +645,11 @@ int cx18_s_std(struct file *file, void *fh, v4l2_std_id std) 
	return 0;

}



static int cx18_s_std(struct file *file, void *fh, v4l2_std_id std)

{

	return cx18_do_s_std(file2id(file)->cx, std);

}



static int cx18_s_tuner(struct file *file, void *fh, const struct v4l2_tuner *vt)

{

	struct cx18_open_id *id = file2id(file);

drivers/media/pci/cx18/cx18-ioctl.h

+5 −3
Original line number Diff line number Diff line
@@ -12,6 +12,8 @@ u16 cx18_service2vbi(int type); 
void cx18_expand_service_set(struct v4l2_sliced_vbi_format *fmt, int is_pal);

u16 cx18_get_service_set(struct v4l2_sliced_vbi_format *fmt);

void cx18_set_funcs(struct video_device *vdev);

int cx18_s_std(struct file *file, void *fh, v4l2_std_id std);

int cx18_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *vf);

int cx18_s_input(struct file *file, void *fh, unsigned int inp);
 


struct cx18;

int cx18_do_s_std(struct cx18 *cx, v4l2_std_id std);

int cx18_do_s_frequency(struct cx18 *cx, const struct v4l2_frequency *vf);

int cx18_do_s_input(struct cx18 *cx, unsigned int inp);