review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	harperchen <harperchen1110@gmail.com>
	Thu, 2 Mar 2023 12:39:05 +0000 (13:39 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 24 May 2023 16:32:34 +0000 (17:32 +0100)
commit	6738841f6fcf23e9fc30e2449f32fc84ee19c6f1
tree	b5ccd87e21d689d16e8d2d36a6b067851fe4714a	tree \| snapshot
parent	346c975524558da219c2ee5624b49dbef06b61b1	commit \| diff

media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish()

[ Upstream commit 47e8b73bc35d7c54642f78e498697692f6358996 ]

When the driver calls cx23885_risc_buffer() to prepare the buffer, the
function call dma_alloc_coherent may fail, resulting in a empty buffer
risc->cpu. Later when we free the buffer or access the buffer, null ptr
deref is triggered.

This bug is similar to the following one:
https://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71.

We believe the bug can be also dynamically triggered from user side.
Similarly, we fix this by checking the return value of cx23885_risc_buffer()
and the value of risc->cpu before buffer free.

Signed-off-by: harperchen <harperchen1110@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/media/pci/cx23885/cx23885-core.c		diff \| blob \| history
drivers/media/pci/cx23885/cx23885-video.c		diff \| blob \| history