Hi,
On 1/18/24 16:13, Zhipeng Lu wrote:
> The allocation failure of mycs->yuv_scaler_binary in load_video_binaries
> is followed with a dereference of mycs->yuv_scaler_binary after the
> following call chain:
>
> sh_css_pipe_load_binaries
> |-> load_video_binaries (mycs->yuv_scaler_binary == NULL)
> |
> |-> sh_css_pipe_unload_binaries
> |-> unload_video_binaries
>
> In unload_video_binaries, it calls to ia_css_binary_unload with argument
> &pipe->pipe_settings.video.yuv_scaler_binary[i], which refers to the
> same memory slot as mycs->yuv_scaler_binary. Thus, a null-pointer
> dereference is triggered.
>
> Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2")
> Signed-off-by: Zhipeng Lu <alexious@xxxxxxxxxx>
> ---
> Changelog:
>
> v2: change fix approach to set mycs->num_yuv_scaler = 0 in
> load_video_binaries. Change the fix tag to correct commit.
Thank you for you patch.
I have applied this patch to my media-atomip branch:
https://git.kernel.org/pub/scm/linux/kernel/git/hansg/linux.git/log/?h=media-atomisp
and I will include this in my next media-atomisp
pull-request to Mauro.
Regards,
Hans
> ---
> drivers/staging/media/atomisp/pci/sh_css.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c
> index f35c90809414..638f08b3f21b 100644
> --- a/drivers/staging/media/atomisp/pci/sh_css.c
> +++ b/drivers/staging/media/atomisp/pci/sh_css.c
> @@ -4719,6 +4719,7 @@ static int load_video_binaries(struct ia_css_pipe *pipe)
> sizeof(struct ia_css_binary),
> GFP_KERNEL);
> if (!mycs->yuv_scaler_binary) {
> + mycs->num_yuv_scaler = 0;
> err = -ENOMEM;
> return err;
> }
