On Thu, Jan 18, 2024 at 5:13 PM Zhipeng Lu <alexious@xxxxxxxxxx> wrote: > > The allocation failure of mycs->yuv_scaler_binary in load_video_binaries > is followed with a dereference of mycs->yuv_scaler_binary after the > following call chain: > > sh_css_pipe_load_binaries > |-> load_video_binaries (mycs->yuv_scaler_binary == NULL) > | > |-> sh_css_pipe_unload_binaries > |-> unload_video_binaries > > In unload_video_binaries, it calls to ia_css_binary_unload with argument > &pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the > same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer > dereference is triggered. Good for me now, thank you. Reviewed-by: Andy Shevchenko <andy.shevchenko@xxxxxxxxx> P.S. If needed, or Hans can do it, the references to the functions can be amended in the commit message as we use the 'func()' format (w/o quotes). -- With Best Regards, Andy Shevchenko
