[PATCH 1/5] media: nxp: imx8-isi: Fix stream ID validation bypass in crossbar routing
From: Guoniu Zhou
Date: Mon Jun 29 2026 - 04:04:27 EST
The crossbar routing validation has a critical bug where it validates
the wrong routing table, allowing userspace to bypass validation entirely.
The __mxc_isi_crossbar_set_routing() function is called to validate and
apply a new routing table from userspace. However, the validation loop
iterates over state->routing (the currently active routing table) instead
of the routing parameter (the new table being validated):
for_each_active_route(&state->routing, route) {
This means userspace can submit any invalid routing configuration and it
will pass validation as long as the currently active routing is valid.
This is a security issue as it allows userspace to configure routes that
violate hardware constraints, potentially causing undefined hardware
behavior.
Fix by validating the routing table that will actually be applied:
for_each_active_route(routing, route) {
Additionally, add validation to enforce hardware constraints that were
previously missing:
- SOURCE stream must be 0 (ISI pipes are hardcoded to stream 0)
- SINK stream must be less than the ISI channel count
- Memory input can only route to the first pipeline (existing check)
Fixes: cf21f328fcaf ("media: nxp: Add i.MX8 ISI driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Guoniu Zhou <guoniu.zhou@xxxxxxxxxxx>
---
.../platform/nxp/imx8-isi/imx8-isi-crossbar.c | 24 ++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/nxp/imx8-isi/imx8-isi-crossbar.c b/drivers/media/platform/nxp/imx8-isi/imx8-isi-crossbar.c
index c580c831972e..29f14d30dbbb 100644
--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-crossbar.c
+++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-crossbar.c
@@ -106,8 +106,28 @@ static int __mxc_isi_crossbar_set_routing(struct v4l2_subdev *sd,
if (ret)
return ret;
- /* The memory input can be routed to the first pipeline only. */
- for_each_active_route(&state->routing, route) {
+ /*
+ * Validate routes against hardware constraints:
+ * - SOURCE stream must be 0 (pipes are hardcoded to stream 0)
+ * - SINK stream must be < ISI channel count
+ * - Memory input can only route to the first pipeline
+ */
+ for_each_active_route(routing, route) {
+ if (route->source_stream != 0) {
+ dev_dbg(xbar->isi->dev,
+ "route to pipe %u must use source_stream=0, got %u\n",
+ route->source_pad - xbar->num_sinks,
+ route->source_stream);
+ return -ENXIO;
+ }
+
+ if (route->sink_stream >= xbar->num_sources) {
+ dev_dbg(xbar->isi->dev,
+ "sink_stream %u exceeds hardware limit %u\n",
+ route->sink_stream, xbar->num_sources - 1);
+ return -ENXIO;
+ }
+
if (route->sink_pad == xbar->num_sinks - 1 &&
route->source_pad != xbar->num_sinks) {
dev_dbg(xbar->isi->dev,
--
2.34.1