Add the check for the return value of the ida_alloc in order to avoid
NULL pointer dereference.
Moreover, free allocated "ctx->id" if mdp_m2m_open fails later in order
to avoid memory leak.
Fixes: 61890ccaefaf ("media: platform: mtk-mdp3: add MediaTek MDP3 driver")
Signed-off-by: Jiasheng Jiang <[email protected]>
---
Changelog:
v2 -> v3:
1. Fix the goto label.
v1 -> v2:
1. Fix the check for the ida_alloc.
---
drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c
index 5f74ea3b7a52..a2d204e90aa4 100644
--- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c
+++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c
@@ -567,6 +567,11 @@ static int mdp_m2m_open(struct file *file)
}
ctx->id = ida_alloc(&mdp->mdp_ida, GFP_KERNEL);
+ if (ctx->id < 0) {
+ ret = ctx->id;
+ goto err_unlock_mutex;
+ }
+
ctx->mdp_dev = mdp;
v4l2_fh_init(&ctx->fh, vdev);
@@ -617,6 +622,8 @@ static int mdp_m2m_open(struct file *file)
v4l2_fh_del(&ctx->fh);
err_exit_fh:
v4l2_fh_exit(&ctx->fh);
+ ida_free(&mdp->mdp_ida, ctx->id);
+err_unlock_mutex:
mutex_unlock(&mdp->m2m_lock);
err_free_ctx:
kfree(ctx);
--
2.25.1
Il 09/02/23 10:25, Jiasheng Jiang ha scritto:
> Add the check for the return value of the ida_alloc in order to avoid
> NULL pointer dereference.
> Moreover, free allocated "ctx->id" if mdp_m2m_open fails later in order
> to avoid memory leak.
>
> Fixes: 61890ccaefaf ("media: platform: mtk-mdp3: add MediaTek MDP3 driver")
> Signed-off-by: Jiasheng Jiang <[email protected]>
> ---
> Changelog:
>
> v2 -> v3:
>
> 1. Fix the goto label.
>
> v1 -> v2:
>
> 1. Fix the check for the ida_alloc.
> ---
> drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c
> index 5f74ea3b7a52..a2d204e90aa4 100644
> --- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c
> +++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c
> @@ -567,6 +567,11 @@ static int mdp_m2m_open(struct file *file)
> }
>
> ctx->id = ida_alloc(&mdp->mdp_ida, GFP_KERNEL);
> + if (ctx->id < 0) {
There's one main not-so-minor issue here: ctx->id is u32.
Unsigned types cannot evaluate less than zero: they're .. unsigned!
There's your fix:
ret = ida_alloc ...
if (ret)
....
ctx->id = ret;
Enjoy.
Regards,
Angelo