]> git.baikalelectronics.ru Git - kernel.git/commit
media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish
authorharperchen <harperchen1110@gmail.com>
Fri, 3 Mar 2023 15:30:11 +0000 (16:30 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 24 May 2023 16:32:34 +0000 (17:32 +0100)
commit30a34a7947e270add2bf69e34904d476777ca7f8
treef7d0a28065c4a15ee2167a36bdcc4b2088bc63c8
parentc02e1a8f7084957b44a03cc15eb6d0272fd60904
media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish

[ Upstream commit 1634b7adcc5bef645b3666fdd564e5952a9e24e0 ]

When the driver calls tw68_risc_buffer() to prepare the buffer, the
function call dma_alloc_coherent may fail, resulting in a empty buffer
buf->cpu. Later when we free the buffer or access the buffer, null ptr
deref is triggered.

This bug is similar to the following one:
https://git.linuxtv.org/media_stage.git/commit/?id=c9360be25d30cc6d9d4a9c66331ec95df483aa0b.

We believe the bug can be also dynamically triggered from user side.
Similarly, we fix this by checking the return value of tw68_risc_buffer()
and the value of buf->cpu before buffer free.

Signed-off-by: harperchen <harperchen1110@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/media/pci/tw68/tw68-video.c