The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
Possible dependencies:
c4d344163c3a ("staging: media: tegra-video: fix device_node use after free") 2ac4035a78c9 ("media: tegra-video: Add support for x8 captures with gang ports") 4281d115a4eb ("media: tegra-video: Add DV timing support") fbef4d6bb92e ("media: tegra-video: Add support for V4L2_PIX_FMT_NV16") c1bcc5472825 ("media: tegra-video: Enable VI pixel transform for YUV and RGB formats")
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From c4d344163c3a7f90712525f931a6c016bbb35e18 Mon Sep 17 00:00:00 2001 From: Luca Ceresoli luca.ceresoli@bootlin.com Date: Wed, 2 Nov 2022 12:01:02 +0100 Subject: [PATCH] staging: media: tegra-video: fix device_node use after free
At probe time this code path is followed:
* tegra_csi_init * tegra_csi_channels_alloc * for_each_child_of_node(node, channel) -- iterates over channels * automatically gets 'channel' * tegra_csi_channel_alloc() * saves into chan->of_node a pointer to the channel OF node * automatically gets and puts 'channel' * now the node saved in chan->of_node has refcount 0, can disappear * tegra_csi_channels_init * iterates over channels * tegra_csi_channel_init -- uses chan->of_node
After that, chan->of_node keeps storing the node until the device is removed.
of_node_get() the node and of_node_put() it during teardown to avoid any risk.
Fixes: 1ebaeb09830f ("media: tegra-video: Add support for external sensor capture") Cc: stable@vger.kernel.org Cc: Sowjanya Komatineni skomatineni@nvidia.com Signed-off-by: Luca Ceresoli luca.ceresoli@bootlin.com Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl
diff --git a/drivers/staging/media/tegra-video/csi.c b/drivers/staging/media/tegra-video/csi.c index 6b59ef55c525..426e653bd55d 100644 --- a/drivers/staging/media/tegra-video/csi.c +++ b/drivers/staging/media/tegra-video/csi.c @@ -433,7 +433,7 @@ static int tegra_csi_channel_alloc(struct tegra_csi *csi, for (i = 0; i < chan->numgangports; i++) chan->csi_port_nums[i] = port_num + i * CSI_PORTS_PER_BRICK;
- chan->of_node = node; + chan->of_node = of_node_get(node); chan->numpads = num_pads; if (num_pads & 0x2) { chan->pads[0].flags = MEDIA_PAD_FL_SINK; @@ -641,6 +641,7 @@ static void tegra_csi_channels_cleanup(struct tegra_csi *csi) media_entity_cleanup(&subdev->entity); }
+ of_node_put(chan->of_node); list_del(&chan->list); kfree(chan); }