From: Alain Volmat alain.volmat@foss.st.com
Correct error handling within the dcmipp_create_subdevs by properly decrementing the i counter when releasing the subdevs.
Fixes: 28e0f3772296 ("media: stm32-dcmipp: STM32 DCMIPP camera interface driver") Cc: stable@vger.kernel.org Signed-off-by: Alain Volmat alain.volmat@foss.st.com Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl [hverkuil: correct the indices: it's [i], not [i - 1].] --- The original patch would cause a crash due to the incorrect indices in the statement after the while. Since 'i' can now become 0, so i - 1 would be a negative index access, which was obviously not the intention.
I reverted the patch once I noticed this (better to hang in an infinite loop than to crash), but I want to get a proper fix in. Rather than waiting for that, I decided to just take the original patch from Alain, with just the indices fixed. --- drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c index 4acc3b90d03a..7f771ea49b78 100644 --- a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c +++ b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c @@ -202,8 +202,8 @@ static int dcmipp_create_subdevs(struct dcmipp_device *dcmipp) return 0;
err_init_entity: - while (i > 0) - dcmipp->pipe_cfg->ents[i - 1].release(dcmipp->entity[i - 1]); + while (i-- > 0) + dcmipp->pipe_cfg->ents[i].release(dcmipp->entity[i]); return ret; }
Hi Hans,
On Wed, Jul 03, 2024 at 01:59:16PM +0200, Hans Verkuil wrote:
From: Alain Volmat alain.volmat@foss.st.com
Correct error handling within the dcmipp_create_subdevs by properly decrementing the i counter when releasing the subdevs.
Fixes: 28e0f3772296 ("media: stm32-dcmipp: STM32 DCMIPP camera interface driver") Cc: stable@vger.kernel.org Signed-off-by: Alain Volmat alain.volmat@foss.st.com Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl [hverkuil: correct the indices: it's [i], not [i - 1].]
The original patch would cause a crash due to the incorrect indices in the statement after the while. Since 'i' can now become 0, so i - 1 would be a negative index access, which was obviously not the intention.
I reverted the patch once I noticed this (better to hang in an infinite loop than to crash), but I want to get a proper fix in. Rather than waiting for that, I decided to just take the original patch from Alain, with just the indices fixed.
sorry for the delay and this error within the patch.
Thanks a lot Hans and Sakari for noticing it and fixing it.
Alain
drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c index 4acc3b90d03a..7f771ea49b78 100644 --- a/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c +++ b/drivers/media/platform/st/stm32/stm32-dcmipp/dcmipp-core.c @@ -202,8 +202,8 @@ static int dcmipp_create_subdevs(struct dcmipp_device *dcmipp) return 0;
err_init_entity:
- while (i > 0)
dcmipp->pipe_cfg->ents[i - 1].release(dcmipp->entity[i - 1]);
- while (i-- > 0)
dcmipp->pipe_cfg->ents[i].release(dcmipp->entity[i]);}
-- 2.43.0
linux-stable-mirror@lists.linaro.org
-
Alain Volmat -
Hans Verkuil