Re: [PATCH] staging: media: ipu3: fix out-of-bounds access in imgu_map_node()

Next message: Baolin Wang: "Re: [PATCH v3] mm: shmem: always support large folios for internal shmem mount"
Previous message: Juri Lelli: "Re: [PATCH] sched/deadline: Fix replenishment logic for non-deferred servers"
In reply to: Sajja Easwar Sai: "[PATCH] staging: media: ipu3: fix out-of-bounds access in imgu_map_node()"
Next in thread: Sakari Ailus: "Re: [PATCH] staging: media: ipu3: fix out-of-bounds access in imgu_map_node()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Wed Apr 22 2026 - 02:33:30 EST

On Wed, Apr 22, 2026 at 11:49:51AM +0530, Sajja Easwar Sai wrote:
> imgu_map_node() walks imgu_node_map[] looking for a CSS queue ID. When
> no match is found the loop exits with i == IMGU_NODE_NUM, which is one
> past the end of every array that is indexed by node id. The value is
> returned without any bounds check, so callers that use it immediately
> as an array subscript produce out-of-bounds reads.
>
> The most critical caller is the threaded IRQ handler
> imgu_isr_threaded(), where b->queue comes directly from firmware; a
> malformed or buggy firmware return could therefore trigger a kernel
> oops.
>
> Harden the code in three steps:
> 1. Add a WARN_ON() inside imgu_map_node() so the 'not-found' sentinel
> is made explicit and any future regression surfaces immediately.

And then you just rebooted the machine, causing all data to be lost when
panic-on-warn is enabled :(

If this condition can be hit, then great, handle it properly and
recover, please do not crash machines. WARN_ON() should not be used for
anything that a user can ever cause to have happen.

thanks,

greg k-h