media: atomisp: Remove bogus fh use from atomisp_set_fmt*()

atomisp_set_fmt*() use a local v4l2_subdev_fh declared on the stack,
specifically they use fh.state which is never initialized so when
passing fh.state to atomisp_subdev_set_ffmt() / to
atomisp_subdev_set_selection() these functions are passing random
stack contents as a pointer.

The reason this works is because when the which parameter is
V4L2_SUBDEV_FORMAT_ACTIVE the passed in state is not used.

Remove the bogus fh usage and just pass NULL as state.

Link: https://lore.kernel.org/r/20230529103741.11904-12-hdegoede@redhat.com
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>

diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
index 2a1cb3049019e2d7d40f35411c7a8945db741ec0..87184ddf94c5c78ecb998ed3effc4b6fac3e7c76 100644 (file)
--- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c
+++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c
@@ -3908,7 +3908,6 @@ static int atomisp_set_fmt_to_isp(struct video_device *vdev,
        const struct atomisp_format_bridge *format;
        struct v4l2_rect *isp_sink_crop;
        enum ia_css_pipe_id pipe_id;
-       struct v4l2_subdev_fh fh;
        int (*configure_output)(struct atomisp_sub_device *asd,
                                unsigned int width, unsigned int height,
                                unsigned int min_width,
@@ -3929,8 +3928,6 @@ static int atomisp_set_fmt_to_isp(struct video_device *vdev,
                return -EINVAL;
        }
 
-       v4l2_fh_init(&fh.vfh, vdev);
-
        isp_sink_crop = atomisp_subdev_get_rect(
                            &asd->subdev, NULL, V4L2_SUBDEV_FORMAT_ACTIVE,
                            ATOMISP_SUBDEV_PAD_SINK, V4L2_SEL_TGT_CROP);
@@ -4138,7 +4135,6 @@ static int atomisp_set_fmt_to_snr(struct video_device *vdev, const struct v4l2_p
        struct atomisp_device *isp;
        struct atomisp_input_stream_info *stream_info =
            (struct atomisp_input_stream_info *)ffmt->reserved;
-       struct v4l2_subdev_fh fh;
        int ret;
 
        if (!asd) {
@@ -4149,8 +4145,6 @@ static int atomisp_set_fmt_to_snr(struct video_device *vdev, const struct v4l2_p
 
        isp = asd->isp;
 
-       v4l2_fh_init(&fh.vfh, vdev);
-
        format = atomisp_get_format_bridge(f->pixelformat);
        if (!format)
                return -EINVAL;
@@ -4210,7 +4204,7 @@ static int atomisp_set_fmt_to_snr(struct video_device *vdev, const struct v4l2_p
                asd->params.video_dis_en = false;
        }
 
-       atomisp_subdev_set_ffmt(&asd->subdev, fh.state,
+       atomisp_subdev_set_ffmt(&asd->subdev, NULL,
                                V4L2_SUBDEV_FORMAT_ACTIVE,
                                ATOMISP_SUBDEV_PAD_SINK, ffmt);
 
@@ -4232,7 +4226,6 @@ int atomisp_set_fmt(struct video_device *vdev, struct v4l2_format *f)
                .which = V4L2_SUBDEV_FORMAT_ACTIVE,
        };
        struct v4l2_rect isp_sink_crop;
-       struct v4l2_subdev_fh fh;
        int ret;
 
        ret = atomisp_pipe_check(pipe, true);
@@ -4243,8 +4236,6 @@ int atomisp_set_fmt(struct video_device *vdev, struct v4l2_format *f)
                "setting resolution %ux%u bytesperline %u\n",
                f->fmt.pix.width, f->fmt.pix.height, f->fmt.pix.bytesperline);
 
-       v4l2_fh_init(&fh.vfh, vdev);
-
        format_bridge = atomisp_get_format_bridge(f->fmt.pix.pixelformat);
        if (!format_bridge)
                return -EINVAL;
@@ -4288,7 +4279,7 @@ int atomisp_set_fmt(struct video_device *vdev, struct v4l2_format *f)
                                    snr_format_bridge->mbus_code;
 
        isp_source_fmt.code = format_bridge->mbus_code;
-       atomisp_subdev_set_ffmt(&asd->subdev, fh.state,
+       atomisp_subdev_set_ffmt(&asd->subdev, NULL,
                                V4L2_SUBDEV_FORMAT_ACTIVE,
                                ATOMISP_SUBDEV_PAD_SOURCE, &isp_source_fmt);
 
@@ -4328,7 +4319,7 @@ int atomisp_set_fmt(struct video_device *vdev, struct v4l2_format *f)
                isp_sink_crop.width = f->fmt.pix.width;
                isp_sink_crop.height = f->fmt.pix.height;
 
-               atomisp_subdev_set_selection(&asd->subdev, fh.state,
+               atomisp_subdev_set_selection(&asd->subdev, NULL,
                                             V4L2_SUBDEV_FORMAT_ACTIVE,
                                             ATOMISP_SUBDEV_PAD_SOURCE, V4L2_SEL_TGT_COMPOSE,
                                             0, &isp_sink_crop);
@@ -4347,7 +4338,7 @@ int atomisp_set_fmt(struct video_device *vdev, struct v4l2_format *f)
                                         f->fmt.pix.height);
                }
 
-               atomisp_subdev_set_selection(&asd->subdev, fh.state,
+               atomisp_subdev_set_selection(&asd->subdev, NULL,
                                             V4L2_SUBDEV_FORMAT_ACTIVE,
                                             ATOMISP_SUBDEV_PAD_SOURCE,
                                             V4L2_SEL_TGT_COMPOSE, 0,