On 11/11/22 10:06, Anastasia Belova wrote:
> Any time calling vp9_is_sf_ref_fb we need fb != NULL after checks.
This doesn't match the subject line at all!
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: f77e89854b3e ("[media] vcodec: mediatek: Add Mediatek VP9 Video Decoder Driver")
Drop this, it's not a fix, it just attempts to make things more robust.
>
> Signed-off-by: Anastasia Belova <abelova@xxxxxxxxxxxxx>
> ---
> drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_if.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_if.c b/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_if.c
> index 70b8383f7c8e..776468cd834a 100644
> --- a/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_if.c
> +++ b/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_if.c
> @@ -208,6 +208,9 @@ static bool vp9_is_sf_ref_fb(struct vdec_vp9_inst *inst, struct vdec_fb *fb)
> int i;
> struct vdec_vp9_vsi *vsi = inst->vsi;
>
> + if (!fb)
> + return true;
> +
> for (i = 0; i < ARRAY_SIZE(vsi->sf_ref_fb); i++) {
> if (fb == &vsi->sf_ref_fb[i].fb)
> return true;
This won't work: if fb == NULL, then depending on whether
this function returns true or false, the code in vp9_swap_frm_bufs()
will crash in either vsi->frm_bufs[vsi->new_fb_idx].buf.fb->base_y.va
or in vp9_free_sf_ref_fb().
Unless you can show there really is a path through which fb can be NULL,
I don't think it is worth continuing with this.
Regards,
Hans
