Re: [PATCH] media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries

Hans de Goede <hdegoede@xxxxxxxxxx> · Fri, 12 Jan 2024 09:49:18 +0100

Hi Zhipeng Lu,

On 1/12/24 09:34, Zhipeng Lu wrote:
> The allocation failure of mycs->yuv_scaler_binary in load_video_binaries
> is followed with a dereference of mycs->yuv_scaler_binary after the
> following call chain:
> 
> sh_css_pipe_load_binaries
>   |-> load_video_binaries (mycs->yuv_scaler_binary == NULL)
>   |
>   |-> sh_css_pipe_unload_binaries
>         |-> unload_video_binaries
> 
> In unload_video_binaries, it calls to ia_css_binary_unload with argument
> &pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the
> same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer
> dereference is triggered.
> 
> Fixes: ad85094b293e ("Revert "media: staging: atomisp: Remove driver"")
> Signed-off-by: Zhipeng Lu <alexious@xxxxxxxxxx>

Thank you for your patch. I believe it would be better to fix this
like this:

diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c
index 1d1fbda75da1..d566c5417448 100644
--- a/drivers/staging/media/atomisp/pci/sh_css.c
+++ b/drivers/staging/media/atomisp/pci/sh_css.c
@@ -4690,6 +4690,7 @@ static int load_video_binaries(struct ia_css_pipe *pipe)
 						  sizeof(struct ia_css_binary),
 						  GFP_KERNEL);
 		if (!mycs->yuv_scaler_binary) {
+			mycs->num_yuv_scaler = 0;
 			err = -ENOMEM;
 			return err;
 		}

Can you please submit a new version using this approach ?

Regards,

Hans



> ---
>  drivers/staging/media/atomisp/pci/sh_css.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c
> index f35c90809414..eb43f4e99d02 100644
> --- a/drivers/staging/media/atomisp/pci/sh_css.c
> +++ b/drivers/staging/media/atomisp/pci/sh_css.c
> @@ -4936,9 +4936,10 @@ unload_video_binaries(struct ia_css_pipe *pipe)
>  	ia_css_binary_unload(&pipe->pipe_settings.video.video_binary);
>  	ia_css_binary_unload(&pipe->pipe_settings.video.vf_pp_binary);
>  
> -	for (i = 0; i < pipe->pipe_settings.video.num_yuv_scaler; i++)
> -		ia_css_binary_unload(&pipe->pipe_settings.video.yuv_scaler_binary[i]);
> -
> +	if (pipe->pipe_settings.video.yuv_scaler_binary)
> +		for (i = 0; i < pipe->pipe_settings.video.num_yuv_scaler; i++)
> +			ia_css_binary_unload(&pipe->pipe_settings.video.yuv_scaler_binary[i]);
> +		
>  	kfree(pipe->pipe_settings.video.is_output_stage);
>  	pipe->pipe_settings.video.is_output_stage = NULL;
>  	kfree(pipe->pipe_settings.video.yuv_scaler_binary);








