[PATCH 5.11 214/775] media: ti-vpe: cal: fix write to unallocated memory

From: Greg Kroah-Hartman
Date: Mon Mar 01 2021 - 21:49:40 EST


From: Tomi Valkeinen <tomi.valkeinen@xxxxxxxxxxxxxxxx>

[ Upstream commit 5a402af5e19f215689e8bf3cc244c21d94eba3c4 ]

The asd allocated with v4l2_async_notifier_add_fwnode_subdev() must be
of size cal_v4l2_async_subdev, otherwise access to
cal_v4l2_async_subdev->phy will go to unallocated memory.

Fixes: 8fcb7576ad19 ("media: ti-vpe: cal: Allow multiple contexts per subdev notifier")
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@xxxxxxxxxxxxxxxx>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/media/platform/ti-vpe/cal.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
index 59a0266b1f399..2eef245c31a17 100644
--- a/drivers/media/platform/ti-vpe/cal.c
+++ b/drivers/media/platform/ti-vpe/cal.c
@@ -406,7 +406,7 @@ static irqreturn_t cal_irq(int irq_cal, void *data)
*/

struct cal_v4l2_async_subdev {
- struct v4l2_async_subdev asd;
+ struct v4l2_async_subdev asd; /* Must be first */
struct cal_camerarx *phy;
};

@@ -472,7 +472,7 @@ static int cal_async_notifier_register(struct cal_dev *cal)
fwnode = of_fwnode_handle(phy->sensor_node);
asd = v4l2_async_notifier_add_fwnode_subdev(&cal->notifier,
fwnode,
- sizeof(*asd));
+ sizeof(*casd));
if (IS_ERR(asd)) {
phy_err(phy, "Failed to add subdev to notifier\n");
ret = PTR_ERR(asd);
--
2.27.0