Re: [PATCH] media: staging/intel-ipu3: Finalize subdev initialization to allcoate active state

[Maximilian Luz]

Hi,

On 9/7/22 14:46, Tomi Valkeinen wrote:
> Hi Maximilian,
>
> On 07/09/2022 15:33, Maximilian Luz wrote:
> > Commit f69952a4dc1e ("media: subdev: add active state to struct
> > v4l2_subdev") introduced the active_state member to struct v4l2_subdev.
> > This state needs to be allocated via v4l2_subdev_init_finalize(). The
> > intel-ipu3 driver unfortunately does not do that, due to which,
>
> That is fine, a driver only needs to allocate the active state if it uses
> the active state.
>
> > active_state is NULL and we run into an oops (NULL pointer dereference)
> > when that state is accessed.
> >
> > In particular, this happens subdev in IOCTLs as commit 3cc7a4bbc381
> > ("media: subdev: pass also the active state to subdevs from ioctls")
> > passes that state on to the subdev IOCTLs. An example scenario where
> > this happens is running libcamera's qcam or cam on a device with IPU3,
> > for example the Microsoft Surface Book 2. In this case, the oops is
> > reproducibly in v4l2_subdev_get_try_crop(), called via
> > imgu_subdev_set_selection().
> >
> > To fix this, allocate the active_state member via
> > v4l2_subdev_init_finalize().
>
> This is not a correct fix. Sakari has sent (and maybe pushed?) this:
>
> https://lore.kernel.org/all/20220825190351.3241444-1-sakari.ailus@xxxxxxxxxxxxxxx/

Thanks! Unfortunately that doesn't fix the issue completely: That patch
addresses imgu_subdev_get_selection() but imgu_subdev_set_selection()
still runs into the oops.

I assume a similar fix to the one you linked is needed? I'll give that a
try.

Regards,
Max