Message ID | 7883f30a-0646-440c-95d5-937062ce10b6@moroto.mountain |
---|---|
State | New |
Headers | show |
Series | media: qcom: camss: Fix potential crash in cleanup in camss_configure_pd() | expand |
Hello Dan, On 9/10/24 22:55, Dan Carpenter wrote: > This function calls dev_pm_domain_detach(camss->genpd, true) in the > cleanup path. But calling detach is only necessary if the attach > succeeded. If it didn't succeed then "camss->genpd" is either an error > pointer or NULL and it leads to a crash. > > Fixes: 23aa4f0cd327 ("media: qcom: camss: Move VFE power-domain specifics into vfe.c") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > --- > drivers/media/platform/qcom/camss/camss.c | 15 +++++---------- > 1 file changed, 5 insertions(+), 10 deletions(-) > > diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c > index 1923615f0eea..f4531e7341d4 100644 > --- a/drivers/media/platform/qcom/camss/camss.c > +++ b/drivers/media/platform/qcom/camss/camss.c > @@ -2130,10 +2130,8 @@ static int camss_configure_pd(struct camss *camss) > if (camss->res->pd_name) { > camss->genpd = dev_pm_domain_attach_by_name(camss->dev, > camss->res->pd_name); > - if (IS_ERR(camss->genpd)) { > - ret = PTR_ERR(camss->genpd); > - goto fail_pm; > - } > + if (IS_ERR(camss->genpd)) > + return PTR_ERR(camss->genpd); > } > > if (!camss->genpd) { > @@ -2141,13 +2141,10 @@ static int camss_configure_pd(struct camss *camss) > */ > camss->genpd = dev_pm_domain_attach_by_id(camss->dev, > camss->genpd_num - 1); > - } > - if (IS_ERR_OR_NULL(camss->genpd)) { > + if (IS_ERR(camss->genpd)) > + return PTR_ERR(camss->genpd); > if (!camss->genpd) > - ret = -ENODEV; > - else > - ret = PTR_ERR(camss->genpd); > - goto fail_pm; > + return -ENODEV; > } > camss->genpd_link = device_link_add(camss->dev, camss->genpd, > DL_FLAG_STATELESS | DL_FLAG_PM_RUNTIME | the problem has been already addressed, it is a real crash, not just a potential one. Please see https://lore.kernel.org/all/20240813210342.1765944-1-vladimir.zapolskiy@linaro.org/ -- Best wishes, Vladimir
diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c index 1923615f0eea..f4531e7341d4 100644 --- a/drivers/media/platform/qcom/camss/camss.c +++ b/drivers/media/platform/qcom/camss/camss.c @@ -2130,10 +2130,8 @@ static int camss_configure_pd(struct camss *camss) if (camss->res->pd_name) { camss->genpd = dev_pm_domain_attach_by_name(camss->dev, camss->res->pd_name); - if (IS_ERR(camss->genpd)) { - ret = PTR_ERR(camss->genpd); - goto fail_pm; - } + if (IS_ERR(camss->genpd)) + return PTR_ERR(camss->genpd); } if (!camss->genpd) { @@ -2141,13 +2141,10 @@ static int camss_configure_pd(struct camss *camss) */ camss->genpd = dev_pm_domain_attach_by_id(camss->dev, camss->genpd_num - 1); - } - if (IS_ERR_OR_NULL(camss->genpd)) { + if (IS_ERR(camss->genpd)) + return PTR_ERR(camss->genpd); if (!camss->genpd) - ret = -ENODEV; - else - ret = PTR_ERR(camss->genpd); - goto fail_pm; + return -ENODEV; } camss->genpd_link = device_link_add(camss->dev, camss->genpd, DL_FLAG_STATELESS | DL_FLAG_PM_RUNTIME |
This function calls dev_pm_domain_detach(camss->genpd, true) in the cleanup path. But calling detach is only necessary if the attach succeeded. If it didn't succeed then "camss->genpd" is either an error pointer or NULL and it leads to a crash. Fixes: 23aa4f0cd327 ("media: qcom: camss: Move VFE power-domain specifics into vfe.c") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/media/platform/qcom/camss/camss.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-)