media: imx274: fix stack corruption in imx274_read_reg

imx274_read_reg() takes a u8 pointer ("reg") and casts it to pass it
to regmap_read(), which takes an unsigned int pointer. This results in
a corrupted stack and random crashes.

Fixes: 0985dd306f72 ("media: imx274: V4l2 driver for Sony imx274 CMOS sensor")

Cc: stable@vger.kernel.org # for 4.15 and up
Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c
index 11c6928..95a0e7d 100644 (file)
--- a/drivers/media/i2c/imx274.c
+++ b/drivers/media/i2c/imx274.c
@@ -619,16 +619,19 @@ static int imx274_write_table(struct stimx274 *priv, const struct reg_8 table[])
 
 static inline int imx274_read_reg(struct stimx274 *priv, u16 addr, u8 *val)
 {
+       unsigned int uint_val;
        int err;
 
-       err = regmap_read(priv->regmap, addr, (unsigned int *)val);
+       err = regmap_read(priv->regmap, addr, &uint_val);
        if (err)
                dev_err(&priv->client->dev,
                        "%s : i2c read failed, addr = %x\n", __func__, addr);
        else
                dev_dbg(&priv->client->dev,
                        "%s : addr 0x%x, val=0x%x\n", __func__,
-                       addr, *val);
+                       addr, uint_val);
+
+       *val = uint_val;
        return err;
 }