[PATCH v2 0/2] media: pci: Fix invalid access to file *

List overview All Threads
Download

newer

older

[REGRESSION] IPv6 RA default...

[PATCH 0/2] media: pci: Fix...

Jacopo Mondi

18 Aug 2025 18 Aug '25

1:06 p.m.

Since commits 7b9eb53e8591 ("media: cx18: Access v4l2_fh from file") 9ba9d11544f9 ("media: ivtv: Access v4l2_fh from file")

All the ioctl handlers access their private data structures from file *

The ivtv and cx18 drivers call the ioctl handlers from their DVB layer without a valid file *, causing invalid memory access.

The issue has been reported by smatch in "[bug report] media: cx18: Access v4l2_fh from file"

Fix this by providing wrappers for the ioctl handlers to be used by the DVB layer that do not require a valid file *.

Signed-off-by: Jacopo Mondi jacopo.mondi@ideasonboard.com --- Changes in v2: - Add Cc: stable@vger.kernel.org per-patch

--- Jacopo Mondi (2): media: cx18: Fix invalid access to file * media: ivtv: Fix invalid access to file *

drivers/media/pci/cx18/cx18-driver.c | 6 +++--- drivers/media/pci/cx18/cx18-ioctl.c | 26 ++++++++++++++++++++------ drivers/media/pci/cx18/cx18-ioctl.h | 8 +++++--- drivers/media/pci/ivtv/ivtv-driver.c | 4 ++-- drivers/media/pci/ivtv/ivtv-ioctl.c | 22 +++++++++++++++++----- drivers/media/pci/ivtv/ivtv-ioctl.h | 6 ++++-- 6 files changed, 51 insertions(+), 21 deletions(-) --- base-commit: a75b8d198c55e9eb5feb6f6e155496305caba2dc change-id: 20250818-cx18-v4l2-fh-7eaa6199fdde

Best regards,

-- Jacopo Mondi jacopo.mondi@ideasonboard.com

Show replies by date

Jacopo Mondi

18 Aug 18 Aug

1:06 p.m.

New subject: [PATCH v2 1/2] media: cx18: Fix invalid access to file *

Sice commit 7b9eb53e8591 ("media: cx18: Access v4l2_fh from file") all ioctl handlers have been ported to operate on the file * first function argument.

The cx18 DVB layer calls cx18_init_on_first_open() when the driver needs to start streaming. This function calls the s_input(), s_std() and s_frequency() ioctl handlers directly, but being called from the driver context, it doesn't have a valid file * to pass them. This causes the ioctl handlers to deference an invalid pointer.

Fix this by wrapping the ioctl handlers implementation in helper functions which accepts a cx18_open_id pointer as first argument and make the cx18_init_on_first_open() function call the helpers without going through the ioctl handlers.

The bug has been reported by Smatch:

--> 1223 cx18_s_input(NULL, &fh, video_input); The patch adds a new dereference of "file" but some of the callers pass a NULL pointer.

Reported-by: Dan Carpenter dan.carpenter@linaro.org Closes: https://lore.kernel.org/all/aKL4OMWsESUdX8KQ@stanley.mountain/ Fixes: 7b9eb53e8591 ("media: cx18: Access v4l2_fh from file") Cc: stable@vger.kernel.org Signed-off-by: Jacopo Mondi jacopo.mondi@ideasonboard.com --- drivers/media/pci/cx18/cx18-driver.c | 6 +++--- drivers/media/pci/cx18/cx18-ioctl.c | 26 ++++++++++++++++++++------ drivers/media/pci/cx18/cx18-ioctl.h | 8 +++++--- 3 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/drivers/media/pci/cx18/cx18-driver.c b/drivers/media/pci/cx18/cx18-driver.c index 743fcc9613744bfc1edeffc51e908fe88520405a..e1798850ff78a50d7930148622c87d9303033c45 100644 --- a/drivers/media/pci/cx18/cx18-driver.c +++ b/drivers/media/pci/cx18/cx18-driver.c @@ -1220,14 +1220,14 @@ int cx18_init_on_first_open(struct cx18 *cx)

video_input = cx->active_input; cx->active_input++; /* Force update of input */ - cx18_s_input(NULL, &fh, video_input); + cx18_do_s_input(&fh, video_input);

/* Let the VIDIOC_S_STD ioctl do all the work, keeps the code in one place. */ cx->std++; /* Force full standard initialization */ std = (cx->tuner_std == V4L2_STD_ALL) ? V4L2_STD_NTSC_M : cx->tuner_std; - cx18_s_std(NULL, &fh, std); - cx18_s_frequency(NULL, &fh, &vf); + cx18_do_s_std(&fh, std); + cx18_do_s_frequency(&fh, &vf); return 0; }

diff --git a/drivers/media/pci/cx18/cx18-ioctl.c b/drivers/media/pci/cx18/cx18-ioctl.c index bf16d36448f888d9326b5f4a8f9c8f0e13d0c3a1..507df0d885e0dd2df7446aaef9e066592496d215 100644 --- a/drivers/media/pci/cx18/cx18-ioctl.c +++ b/drivers/media/pci/cx18/cx18-ioctl.c @@ -521,9 +521,8 @@ static int cx18_g_input(struct file *file, void *fh, unsigned int *i) return 0; }

-int cx18_s_input(struct file *file, void *fh, unsigned int inp) +int cx18_do_s_input(struct cx18_open_id *id, unsigned int inp) { - struct cx18_open_id *id = file2id(file); struct cx18 *cx = id->cx; v4l2_std_id std = V4L2_STD_ALL; const struct cx18_card_video_input *card_input = @@ -558,6 +557,11 @@ int cx18_s_input(struct file *file, void *fh, unsigned int inp) return 0; }

+static int cx18_s_input(struct file *file, void *fh, unsigned int inp) +{ + return cx18_do_s_input(file2id(file), inp); +} + static int cx18_g_frequency(struct file *file, void *fh, struct v4l2_frequency *vf) { @@ -570,9 +574,9 @@ static int cx18_g_frequency(struct file *file, void *fh, return 0; }

-int cx18_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *vf) +int cx18_do_s_frequency(struct cx18_open_id *id, + const struct v4l2_frequency *vf) { - struct cx18_open_id *id = file2id(file); struct cx18 *cx = id->cx;

if (vf->tuner != 0) @@ -585,6 +589,12 @@ int cx18_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *v return 0; }

+static int cx18_s_frequency(struct file *file, void *fh, + const struct v4l2_frequency *vf) +{ + return cx18_do_s_frequency(file2id(file), vf); +} + static int cx18_g_std(struct file *file, void *fh, v4l2_std_id *std) { struct cx18 *cx = file2id(file)->cx; @@ -593,9 +603,8 @@ static int cx18_g_std(struct file *file, void *fh, v4l2_std_id *std) return 0; }

-int cx18_s_std(struct file *file, void *fh, v4l2_std_id std) +int cx18_do_s_std(struct cx18_open_id *id, v4l2_std_id std) { - struct cx18_open_id *id = file2id(file); struct cx18 *cx = id->cx;

if ((std & V4L2_STD_ALL) == 0) @@ -642,6 +651,11 @@ int cx18_s_std(struct file *file, void *fh, v4l2_std_id std) return 0; }

+static int cx18_s_std(struct file *file, void *fh, v4l2_std_id std) +{ + return cx18_do_s_std(file2id(file), std); +} + static int cx18_s_tuner(struct file *file, void *fh, const struct v4l2_tuner *vt) { struct cx18_open_id *id = file2id(file); diff --git a/drivers/media/pci/cx18/cx18-ioctl.h b/drivers/media/pci/cx18/cx18-ioctl.h index 221e2400fb3e2d817eaff7515fa89eb94f2d7f8a..bd0e6e5ac4e4a66f747789fd45b1d026c6905601 100644 --- a/drivers/media/pci/cx18/cx18-ioctl.h +++ b/drivers/media/pci/cx18/cx18-ioctl.h @@ -12,6 +12,8 @@ u16 cx18_service2vbi(int type); void cx18_expand_service_set(struct v4l2_sliced_vbi_format *fmt, int is_pal); u16 cx18_get_service_set(struct v4l2_sliced_vbi_format *fmt); void cx18_set_funcs(struct video_device *vdev); -int cx18_s_std(struct file *file, void *fh, v4l2_std_id std); -int cx18_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *vf); -int cx18_s_input(struct file *file, void *fh, unsigned int inp); + +struct cx18_open_id; +int cx18_do_s_std(struct cx18_open_id *id, v4l2_std_id std); +int cx18_do_s_frequency(struct cx18_open_id *id, const struct v4l2_frequency *vf); +int cx18_do_s_input(struct cx18_open_id *id, unsigned int inp);

-- 2.50.1

Jacopo Mondi

1:06 p.m.

New subject: [PATCH v2 2/2] media: ivtv: Fix invalid access to file *

Since commit 9ba9d11544f9 ("media: ivtv: Access v4l2_fh from file") all ioctl handlers have been ported to operate on the file * first function argument.

The ivtv DVB layer calls ivtv_init_on_first_open() when the driver needs to start streaming. This function calls the s_input() and s_frequency() ioctl handlers directly, but being called from the driver context, it doesn't have a valid file * to pass them. This causes the ioctl handlers to deference an invalid pointer.

Fix this by wrapping the ioctl handlers implementation in helper functions which accepts a ivtv_open_id pointer as first argument and make the ivtv_init_on_first_open() function call the helpers without going through the ioctl handlers.

The bug has been reported by Smatch.

Reported-by: Dan Carpenter dan.carpenter@linaro.org Closes: https://lore.kernel.org/all/aKL4OMWsESUdX8KQ@stanley.mountain/ Fixes: 9ba9d11544f9 ("media: ivtv: Access v4l2_fh from file") Cc: stable@vger.kernel.org Signed-off-by: Jacopo Mondi jacopo.mondi@ideasonboard.com --- drivers/media/pci/ivtv/ivtv-driver.c | 4 ++-- drivers/media/pci/ivtv/ivtv-ioctl.c | 22 +++++++++++++++++----- drivers/media/pci/ivtv/ivtv-ioctl.h | 6 ++++-- 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c index ecc20cd89926fe2ce4e472526a6b5fc0857615dd..bcbb03271047df9b127039759dbfefbaae67f9c3 100644 --- a/drivers/media/pci/ivtv/ivtv-driver.c +++ b/drivers/media/pci/ivtv/ivtv-driver.c @@ -1310,13 +1310,13 @@ int ivtv_init_on_first_open(struct ivtv *itv)

video_input = itv->active_input; itv->active_input++; /* Force update of input */ - ivtv_s_input(NULL, &fh, video_input); + ivtv_do_s_input(&fh, video_input);

/* Let the VIDIOC_S_STD ioctl do all the work, keeps the code in one place. */ itv->std++; /* Force full standard initialization */ itv->std_out = itv->std; - ivtv_s_frequency(NULL, &fh, &vf); + ivtv_do_s_frequency(&fh, &vf);

if (itv->card->v4l2_capabilities & V4L2_CAP_VIDEO_OUTPUT) { /* Turn on the TV-out: ivtv_init_mpeg_decoder() initializes diff --git a/drivers/media/pci/ivtv/ivtv-ioctl.c b/drivers/media/pci/ivtv/ivtv-ioctl.c index 8077a71d4850ec773caa20c3fca08f92f3117d69..ba1fce42a8d6d7d9a3779bfc9dfd310060e61103 100644 --- a/drivers/media/pci/ivtv/ivtv-ioctl.c +++ b/drivers/media/pci/ivtv/ivtv-ioctl.c @@ -974,9 +974,9 @@ static int ivtv_g_input(struct file *file, void *fh, unsigned int *i) return 0; }

-int ivtv_s_input(struct file *file, void *fh, unsigned int inp) +int ivtv_do_s_input(struct ivtv_open_id *id, unsigned int inp) { - struct ivtv *itv = file2id(file)->itv; + struct ivtv *itv = id->itv; v4l2_std_id std; int i;

@@ -1017,6 +1017,11 @@ int ivtv_s_input(struct file *file, void *fh, unsigned int inp) return 0; }

+static int ivtv_s_input(struct file *file, void *fh, unsigned int inp) +{ + return ivtv_do_s_input(file2id(file), inp); +} + static int ivtv_g_output(struct file *file, void *fh, unsigned int *i) { struct ivtv *itv = file2id(file)->itv; @@ -1065,10 +1070,11 @@ static int ivtv_g_frequency(struct file *file, void *fh, struct v4l2_frequency * return 0; }

-int ivtv_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *vf) +int ivtv_do_s_frequency(struct ivtv_open_id *id, + const struct v4l2_frequency *vf) { - struct ivtv *itv = file2id(file)->itv; - struct ivtv_stream *s = &itv->streams[file2id(file)->type]; + struct ivtv *itv = id->itv; + struct ivtv_stream *s = &itv->streams[id->type];

if (s->vdev.vfl_dir) return -ENOTTY; @@ -1082,6 +1088,12 @@ int ivtv_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *v return 0; }

+static int ivtv_s_frequency(struct file *file, void *fh, + const struct v4l2_frequency *vf) +{ + return ivtv_do_s_frequency(file2id(file), vf); +} + static int ivtv_g_std(struct file *file, void *fh, v4l2_std_id *std) { struct ivtv *itv = file2id(file)->itv; diff --git a/drivers/media/pci/ivtv/ivtv-ioctl.h b/drivers/media/pci/ivtv/ivtv-ioctl.h index 42c2516379fcbbd0640820ab0e3abe9bf00b57ea..7c91b8963b420761c2afcab1dece4d19a4ec0322 100644 --- a/drivers/media/pci/ivtv/ivtv-ioctl.h +++ b/drivers/media/pci/ivtv/ivtv-ioctl.h @@ -17,7 +17,9 @@ int ivtv_set_speed(struct ivtv *itv, int speed); void ivtv_set_funcs(struct video_device *vdev); void ivtv_s_std_enc(struct ivtv *itv, v4l2_std_id std); void ivtv_s_std_dec(struct ivtv *itv, v4l2_std_id std); -int ivtv_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *vf); -int ivtv_s_input(struct file *file, void *fh, unsigned int inp); + +struct ivtv_open_id; +int ivtv_do_s_frequency(struct ivtv_open_id *id, const struct v4l2_frequency *vf); +int ivtv_do_s_input(struct ivtv_open_id *id, unsigned int inp);

#endif

-- 2.50.1

Laurent Pinchart

1:15 p.m.

New subject: [PATCH v2 2/2] media: ivtv: Fix invalid access to file *

On Mon, Aug 18, 2025 at 03:06:36PM +0200, Jacopo Mondi wrote:

...

Since commit 9ba9d11544f9 ("media: ivtv: Access v4l2_fh from file") all ioctl handlers have been ported to operate on the file * first function argument.

The ivtv DVB layer calls ivtv_init_on_first_open() when the driver needs to start streaming. This function calls the s_input() and s_frequency() ioctl handlers directly, but being called from the driver context, it doesn't have a valid file * to pass them. This causes the ioctl handlers to deference an invalid pointer.

Fix this by wrapping the ioctl handlers implementation in helper functions which accepts a ivtv_open_id pointer as first argument and make the ivtv_init_on_first_open() function call the helpers without going through the ioctl handlers.

The bug has been reported by Smatch.

Reported-by: Dan Carpenter dan.carpenter@linaro.org Closes: https://lore.kernel.org/all/aKL4OMWsESUdX8KQ@stanley.mountain/ Fixes: 9ba9d11544f9 ("media: ivtv: Access v4l2_fh from file") Cc: stable@vger.kernel.org Signed-off-by: Jacopo Mondi jacopo.mondi@ideasonboard.com

drivers/media/pci/ivtv/ivtv-driver.c | 4 ++-- drivers/media/pci/ivtv/ivtv-ioctl.c | 22 +++++++++++++++++----- drivers/media/pci/ivtv/ivtv-ioctl.h | 6 ++++-- 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c index ecc20cd89926fe2ce4e472526a6b5fc0857615dd..bcbb03271047df9b127039759dbfefbaae67f9c3 100644 --- a/drivers/media/pci/ivtv/ivtv-driver.c +++ b/drivers/media/pci/ivtv/ivtv-driver.c @@ -1310,13 +1310,13 @@ int ivtv_init_on_first_open(struct ivtv *itv) video_input = itv->active_input; itv->active_input++; /* Force update of input */

ivtv_s_input(NULL, &fh, video_input);

ivtv_do_s_input(&fh, video_input);

/* Let the VIDIOC_S_STD ioctl do all the work, keeps the code in one place. */ itv->std++; /* Force full standard initialization */ itv->std_out = itv->std;

ivtv_s_frequency(NULL, &fh, &vf);

ivtv_do_s_frequency(&fh, &vf);

if (itv->card->v4l2_capabilities & V4L2_CAP_VIDEO_OUTPUT) { /* Turn on the TV-out: ivtv_init_mpeg_decoder() initializes diff --git a/drivers/media/pci/ivtv/ivtv-ioctl.c b/drivers/media/pci/ivtv/ivtv-ioctl.c index 8077a71d4850ec773caa20c3fca08f92f3117d69..ba1fce42a8d6d7d9a3779bfc9dfd310060e61103 100644 --- a/drivers/media/pci/ivtv/ivtv-ioctl.c +++ b/drivers/media/pci/ivtv/ivtv-ioctl.c @@ -974,9 +974,9 @@ static int ivtv_g_input(struct file *file, void *fh, unsigned int *i) return 0; } -int ivtv_s_input(struct file *file, void *fh, unsigned int inp) +int ivtv_do_s_input(struct ivtv_open_id *id, unsigned int inp) {

struct ivtv *itv = file2id(file)->itv;

struct ivtv *itv = id->itv; v4l2_std_id std; int i;

@@ -1017,6 +1017,11 @@ int ivtv_s_input(struct file *file, void *fh, unsigned int inp) return 0; } +static int ivtv_s_input(struct file *file, void *fh, unsigned int inp) +{

return ivtv_do_s_input(file2id(file), inp);

+}

static int ivtv_g_output(struct file *file, void *fh, unsigned int *i) { struct ivtv *itv = file2id(file)->itv; @@ -1065,10 +1070,11 @@ static int ivtv_g_frequency(struct file *file, void *fh, struct v4l2_frequency * return 0; } -int ivtv_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *vf) +int ivtv_do_s_frequency(struct ivtv_open_id *id,
	const struct v4l2_frequency *vf)
{

struct ivtv *itv = file2id(file)->itv;

struct ivtv_stream *s = &itv->streams[file2id(file)->type];

struct ivtv *itv = id->itv;

struct ivtv_stream *s = &itv->streams[id->type];

Same comments as for 1/2. Additionally, you can pass the ivtv_stream pointer to this function, either along with the ivtv pointer, or alone as you can access ivtv through s->itv.

...

if (s->vdev.vfl_dir) return -ENOTTY; @@ -1082,6 +1088,12 @@ int ivtv_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *v return 0; } +static int ivtv_s_frequency(struct file *file, void *fh,
	    const struct v4l2_frequency *vf)
+{

return ivtv_do_s_frequency(file2id(file), vf);

+}

static int ivtv_g_std(struct file *file, void *fh, v4l2_std_id *std) { struct ivtv *itv = file2id(file)->itv; diff --git a/drivers/media/pci/ivtv/ivtv-ioctl.h b/drivers/media/pci/ivtv/ivtv-ioctl.h index 42c2516379fcbbd0640820ab0e3abe9bf00b57ea..7c91b8963b420761c2afcab1dece4d19a4ec0322 100644 --- a/drivers/media/pci/ivtv/ivtv-ioctl.h +++ b/drivers/media/pci/ivtv/ivtv-ioctl.h @@ -17,7 +17,9 @@ int ivtv_set_speed(struct ivtv *itv, int speed); void ivtv_set_funcs(struct video_device *vdev); void ivtv_s_std_enc(struct ivtv *itv, v4l2_std_id std); void ivtv_s_std_dec(struct ivtv *itv, v4l2_std_id std); -int ivtv_s_frequency(struct file *file, void *fh, const struct v4l2_frequency *vf); -int ivtv_s_input(struct file *file, void *fh, unsigned int inp);

+struct ivtv_open_id; +int ivtv_do_s_frequency(struct ivtv_open_id *id, const struct v4l2_frequency *vf); +int ivtv_do_s_input(struct ivtv_open_id *id, unsigned int inp); #endif

-- Regards, Laurent Pinchart

days inactive

days old

linux-stable-mirror@lists.linaro.org

3 comments

participants

tags (0)

participants (2)

Jacopo Mondi
Laurent Pinchart