| Message ID | 20240112083421.3728017-1-alexious@zju.edu.cn |
|---|---|
| State | New |
| Headers | show |
| Series | media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries | expand |
On Fri, Jan 12, 2024 at 10:49 AM Hans de Goede <hdegoede@redhat.com> wrote: > On 1/12/24 09:34, Zhipeng Lu wrote: > > Fixes: ad85094b293e ("Revert "media: staging: atomisp: Remove driver"") > Can you please submit a new version using this approach ? Besides that, are you sure the Fixes refers to the correct commit?
> On Wed, Jan 17, 2024 at 8:34 AM <alexious@zju.edu.cn> wrote: > > > On Fri, Jan 12, 2024 at 10:49 AM Hans de Goede <hdegoede@redhat.com> wrote: > > > > On 1/12/24 09:34, Zhipeng Lu wrote: > > > > > > Fixes: ad85094b293e ("Revert "media: staging: atomisp: Remove driver"") > > > Besides that, are you sure the Fixes refers to the correct commit? > > > > Well, I think I referred to the correct commit, which introduce the whole module and leave this bug. > > > > If I did miss something please let me know. > > Yes, the driver was before that commit in the kernel. Was it without > the bug? No, because you are referring to a clear revert. So, find the > real commit that had brought that into the kernel. You are correct, I just did some git blame on the latest version but forgot about the commit blamed was a revert commit. A v2 version of this patch will be sent later to fix this issue. Thank you for pointing out my mistake. Regards, Zhipeng > > -- > With Best Regards, > Andy Shevchenko
diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c index f35c90809414..eb43f4e99d02 100644 --- a/drivers/staging/media/atomisp/pci/sh_css.c +++ b/drivers/staging/media/atomisp/pci/sh_css.c @@ -4936,9 +4936,10 @@ unload_video_binaries(struct ia_css_pipe *pipe) ia_css_binary_unload(&pipe->pipe_settings.video.video_binary); ia_css_binary_unload(&pipe->pipe_settings.video.vf_pp_binary); - for (i = 0; i < pipe->pipe_settings.video.num_yuv_scaler; i++) - ia_css_binary_unload(&pipe->pipe_settings.video.yuv_scaler_binary[i]); - + if (pipe->pipe_settings.video.yuv_scaler_binary) + for (i = 0; i < pipe->pipe_settings.video.num_yuv_scaler; i++) + ia_css_binary_unload(&pipe->pipe_settings.video.yuv_scaler_binary[i]); + kfree(pipe->pipe_settings.video.is_output_stage); pipe->pipe_settings.video.is_output_stage = NULL; kfree(pipe->pipe_settings.video.yuv_scaler_binary);
The allocation failure of mycs->yuv_scaler_binary in load_video_binaries is followed with a dereference of mycs->yuv_scaler_binary after the following call chain: sh_css_pipe_load_binaries |-> load_video_binaries (mycs->yuv_scaler_binary == NULL) | |-> sh_css_pipe_unload_binaries |-> unload_video_binaries In unload_video_binaries, it calls to ia_css_binary_unload with argument &pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer dereference is triggered. Fixes: ad85094b293e ("Revert "media: staging: atomisp: Remove driver"") Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn> --- drivers/staging/media/atomisp/pci/sh_css.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)