From: Seung-Woo Kim <sw0312.kim@samsung.com>
Date: Tue, 1 Sep 2015 07:59:03 +0000 (+0900)
Subject: fimc-is: Fix wrong index access for dt child nodes
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cbef9abd782e5be865fae8880382b86e22f8fbc5;p=platform%2Fkernel%2Flinux-exynos.git

fimc-is: Fix wrong index access for dt child nodes

This patch fixes wrong index access for dt child nodes. This fixes
following use after free:
    ==================================================================
    BUG: KASan: use after free in fimc_is_parse_children_dt+0x6c/0xe8 at addr ffffffc08d27ffa8
    Write of size 8 by task swapper/0/1
    page:ffffffbdc2b49fc0 count:0 mapcount:0 mapping:          (null) index:0x0
    flags: 0x0()
    page dumped because: kasan: bad access detected
    CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.1.0-00839-gb91c2a6-dirty #3
    Hardware name: Samsung TM2 board (DT)
    Call trace:
    [<ffffffc00008bc58>] dump_backtrace+0x0/0x1d8
    [<ffffffc00008be40>] show_stack+0x10/0x20
    [<ffffffc000eee3a4>] dump_stack+0x80/0xd4
    [<ffffffc00021e510>] kasan_report_error+0x400/0x408
    [<ffffffc00021e9ec>] kasan_report+0x44/0x50
    [<ffffffc00021d38c>] __asan_store8+0x94/0xb0
    [<ffffffc000991900>] fimc_is_parse_children_dt+0x68/0xe8
    [<ffffffc000959368>] fimc_is_probe+0xc0/0xed8
    [<ffffffc0006dc724>] platform_drv_probe+0x64/0xf8
    [<ffffffc0006d9ae8>] driver_probe_device+0x1f0/0x3a8
    [<ffffffc0006d9de0>] __driver_attach+0xc8/0xd0
    [<ffffffc0006d6fac>] bus_for_each_dev+0xd4/0x138
    [<ffffffc0006d932c>] driver_attach+0x2c/0x40
    [<ffffffc0006d8dfc>] bus_add_driver+0x214/0x2e8
    [<ffffffc0006dab40>] driver_register+0xb0/0x1c0
    [<ffffffc0006dc618>] __platform_driver_register+0xa8/0xb8
    [<ffffffc0017952c0>] fimc_is_driver_init+0x18/0x24
    [<ffffffc000082ae4>] do_one_initcall+0xec/0x240
    [<ffffffc001755e50>] kernel_init_freeable+0x288/0x330
    [<ffffffc000eeab1c>] kernel_init+0xc/0xf0
    Memory state around the buggy address:
     ffffffc08d27fe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
     ffffffc08d27ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    >ffffffc08d27ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                      ^
     ffffffc08d280000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffffffc08d280080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    ==================================================================

Change-Id: Id2794dfbb02c5fac923f0df15618609fe5387503
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
---

diff --git a/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c b/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c
index dee15221c831..4c5ea68b8039 100644
--- a/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c
+++ b/drivers/media/platform/exynos/fimc-is/fimc-is-dt.c
@@ -270,11 +270,11 @@ int fimc_is_parse_children_dt(struct device *dev, struct fimc_is_core *core)
 		int i;
 
 		i = of_alias_get_id(child, "fimc-lite");
-		if (i >= 0 || i < FIMC_IS_MAX_NODES)
+		if (i >= 0 && i < FIMC_IS_MAX_NODES)
 			core->lite_np[i] = child;
 
 		i = of_alias_get_id(child, "csis");
-		if (i >= 0 || i < FIMC_IS_MAX_NODES)
+		if (i >= 0 && i < FIMC_IS_MAX_NODES)
 			core->csis_np[i] = child;
 	}