git.baikalelectronics.ru Git - kernel.git/commit

author	harperchen <harperchen1110@gmail.com>
	Thu, 2 Mar 2023 12:39:05 +0000 (13:39 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 24 May 2023 16:32:34 +0000 (17:32 +0100)
commit	c02e1a8f7084957b44a03cc15eb6d0272fd60904
tree	b5ccd87e21d689d16e8d2d36a6b067851fe4714a	tree \| snapshot
parent	e229479f932fa0f5f1ab35d5d1504bd1b78ef7a2	commit \| diff

media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish()

[ Upstream commit 47e8b73bc35d7c54642f78e498697692f6358996 ]

When the driver calls cx23885_risc_buffer() to prepare the buffer, the
function call dma_alloc_coherent may fail, resulting in a empty buffer
risc->cpu. Later when we free the buffer or access the buffer, null ptr
deref is triggered.

This bug is similar to the following one:
https://git.linuxtv.org/media_stage.git/commit/?id=c9360be25d30cc6d9d4a9c66331ec95df483aa0b.

We believe the bug can be also dynamically triggered from user side.
Similarly, we fix this by checking the return value of cx23885_risc_buffer()
and the value of risc->cpu before buffer free.

Signed-off-by: harperchen <harperchen1110@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/media/pci/cx23885/cx23885-core.c		diff \| blob \| history
drivers/media/pci/cx23885/cx23885-video.c		diff \| blob \| history