git.maquefel.me Git - linux.git/commit

author	Hans de Goede <hdegoede@redhat.com>
	Mon, 1 Nov 2021 14:53:55 +0000 (14:53 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 18 Nov 2021 18:17:21 +0000 (19:17 +0100)
commit	712cb7ee75bc3bb025c00e043098114a747cf097
tree	350bb1f5bf19067be3784a59ca4414173c40d92c	tree \| snapshot
parent	c8b0f8beb56641bb986024a8f17012793e2fd9c9	commit \| diff

media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference

commit d55c3ee6b4c7b76326eb257403762f8bd7cc48c2 upstream.

Commit a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
added a new vb member to struct vb2_dma_sg_buf, but it only added
code setting this to the vb2_dma_sg_alloc() function and not to the
vb2_dma_sg_get_userptr() and vb2_dma_sg_attach_dmabuf() which also
create vb2_dma_sg_buf objects.

This is causing a crash due to a NULL pointer deref when using
libcamera on devices with an Intel IPU3 (qcam app).

Fix these crashes by assigning buf->vb in the other 2 functions too,
note libcamera tests the vb2_dma_sg_get_userptr() path, the change
to the vb2_dma_sg_attach_dmabuf() path is untested.

Fixes: a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>