fimc-is: fix wrong index access for dt child nodes

This patch fixes wrong index access for dt child nodes. This fixes
following use after free:
    ==================================================================
    BUG: KASan: use after free in fimc_is_parse_children_dt+0x6c/0xe8 at addr ffffffc08d27ffa8
    Write of size 8 by task swapper/0/1
    page:ffffffbdc2b49fc0 count:0 mapcount:0 mapping:          (null) index:0x0
    flags: 0x0()
    page dumped because: kasan: bad access detected
    CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.1.0-00839-gb91c2a6-dirty #3
    Hardware name: Samsung TM2 board (DT)
    Call trace:
    [<ffffffc00008bc58>] dump_backtrace+0x0/0x1d8
    [<ffffffc00008be40>] show_stack+0x10/0x20
    [<ffffffc000eee3a4>] dump_stack+0x80/0xd4
    [<ffffffc00021e510>] kasan_report_error+0x400/0x408
    [<ffffffc00021e9ec>] kasan_report+0x44/0x50
    [<ffffffc00021d38c>] __asan_store8+0x94/0xb0
    [<ffffffc000991900>] fimc_is_parse_children_dt+0x68/0xe8
    [<ffffffc000959368>] fimc_is_probe+0xc0/0xed8
    [<ffffffc0006dc724>] platform_drv_probe+0x64/0xf8
    [<ffffffc0006d9ae8>] driver_probe_device+0x1f0/0x3a8
    [<ffffffc0006d9de0>] __driver_attach+0xc8/0xd0
    [<ffffffc0006d6fac>] bus_for_each_dev+0xd4/0x138
    [<ffffffc0006d932c>] driver_attach+0x2c/0x40
    [<ffffffc0006d8dfc>] bus_add_driver+0x214/0x2e8
    [<ffffffc0006dab40>] driver_register+0xb0/0x1c0
    [<ffffffc0006dc618>] __platform_driver_register+0xa8/0xb8
    [<ffffffc0017952c0>] fimc_is_driver_init+0x18/0x24
    [<ffffffc000082ae4>] do_one_initcall+0xec/0x240
    [<ffffffc001755e50>] kernel_init_freeable+0x288/0x330
    [<ffffffc000eeab1c>] kernel_init+0xc/0xf0
    Memory state around the buggy address:
     ffffffc08d27fe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
     ffffffc08d27ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    >ffffffc08d27ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                      ^
     ffffffc08d280000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffffffc08d280080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    ==================================================================

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

diff --git a/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c b/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c
index dee1522..4c5ea68 100644 (file)
--- a/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c
+++ b/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c
@@ -270,11 +270,11 @@ int fimc_is_parse_children_dt(struct device *dev, struct fimc_is_core *core)
                int i;
 
                i = of_alias_get_id(child, "fimc-lite");
-               if (i >= 0 || i < FIMC_IS_MAX_NODES)
+               if (i >= 0 && i < FIMC_IS_MAX_NODES)
                        core->lite_np[i] = child;
 
                i = of_alias_get_id(child, "csis");
-               if (i >= 0 || i < FIMC_IS_MAX_NODES)
+               if (i >= 0 && i < FIMC_IS_MAX_NODES)
                        core->csis_np[i] = child;
        }