[PATCH 5.10 527/717] media: ipu3-cio2: Validate mbus format in setting subdev format

From: Greg Kroah-Hartman
Date: Mon Dec 28 2020 - 09:45:19 EST


From: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>

commit a86cf9b29e8b12811cf53c4970eefe0c1d290476 upstream.

Validate media bus code, width and height when setting the subdev format.

This effectively reworks how setting subdev format is implemented in the
driver.

Fixes: c2a6a07afe4a ("media: intel-ipu3: cio2: add new MIPI-CSI2 driver")
Signed-off-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>
Reviewed-by: Andy Shevchenko <andy.shevchenko@xxxxxxxxx>
Reviewed-by: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx # v4.16 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/media/pci/intel/ipu3/ipu3-cio2.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)

--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c
+++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c
@@ -1258,6 +1258,9 @@ static int cio2_subdev_set_fmt(struct v4
struct v4l2_subdev_format *fmt)
{
struct cio2_queue *q = container_of(sd, struct cio2_queue, subdev);
+ struct v4l2_mbus_framefmt *mbus;
+ u32 mbus_code = fmt->format.code;
+ unsigned int i;

/*
* Only allow setting sink pad format;
@@ -1266,18 +1269,26 @@ static int cio2_subdev_set_fmt(struct v4
if (fmt->pad == CIO2_PAD_SOURCE)
return cio2_subdev_get_fmt(sd, cfg, fmt);

- mutex_lock(&q->subdev_lock);
+ if (fmt->which == V4L2_SUBDEV_FORMAT_TRY)
+ mbus = v4l2_subdev_get_try_format(sd, cfg, fmt->pad);
+ else
+ mbus = &q->subdev_fmt;
+
+ fmt->format.code = formats[0].mbus_code;

- if (fmt->which == V4L2_SUBDEV_FORMAT_TRY) {
- *v4l2_subdev_get_try_format(sd, cfg, fmt->pad) = fmt->format;
- } else {
- /* It's the sink, allow changing frame size */
- q->subdev_fmt.width = fmt->format.width;
- q->subdev_fmt.height = fmt->format.height;
- q->subdev_fmt.code = fmt->format.code;
- fmt->format = q->subdev_fmt;
+ for (i = 0; i < ARRAY_SIZE(formats); i++) {
+ if (formats[i].mbus_code == fmt->format.code) {
+ fmt->format.code = mbus_code;
+ break;
+ }
}

+ fmt->format.width = min_t(u32, fmt->format.width, CIO2_IMAGE_MAX_WIDTH);
+ fmt->format.height = min_t(u32, fmt->format.height,
+ CIO2_IMAGE_MAX_LENGTH);
+
+ mutex_lock(&q->subdev_lock);
+ *mbus = fmt->format;
mutex_unlock(&q->subdev_lock);

return 0;