Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp3863603imd;
        Mon, 29 Oct 2018 13:37:22 -0700 (PDT)
X-Google-Smtp-Source: AJdET5d/0ir9GMS1qmQCIMSbnZ1J8svETzjTq0fNCZYqTqL0VcAHAAO3nnQHm53oZXI9AqEUixLP
X-Received: by 2002:a63:cf0e:: with SMTP id j14-v6mr15246488pgg.195.1540845442082;
        Mon, 29 Oct 2018 13:37:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540845442; cv=none;
        d=google.com; s=arc-20160816;
        b=jf1UUWw7BJ+/oanabol7MILHOpGkTgAwGpdiJx9e7eHqvJAr1Hce3nnNEWKN6Mccxd
         fuNnGwaTREK7T5TdgWfkXXUnR9v1yjDVamO5hx9iD0Sh7TQ5eK4N2Qtqqhaj/sdey9cA
         2+8xflfdmEbP1nSheENRuAmsLR6m9sAoaf74tOVI5dsQkdYxNBWIyB3+v8YhyB0y+hul
         EkUU2k687ppoGKmQlrkERuGw8WKMr2pmgF4UlaVeTEC3YGFJTHG2NMGsuhlUdqfVBpYY
         7mKkyqWNMB9Ll8dhxOzF9ePgso3Q3V4wasAORxw/K4IRgB6xCVHhNXrO1ZZrG3cnn2h6
         gKbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=kpljSLVs74gBOqOfBKoqT7lo5jClP19TBM7+GYfqrQ4=;
        b=JvfEJLUZuCh9ifc0CptGuSAO+G3NpAnKDdEnM5YWSvEX5NH+KGb4tkBrVkJm9Zu2L3
         lEYXt3GDdPHpRyL/67Bq15exbDq9VD73EK4rnhnb3AtGTQUsE1Vl9zk4BErnzoY2LMp7
         3zJF0VC1NHWu/PT5EvjNleduZ11v+fPURIirR/EdE+WAFToUoRkFtXV6G6B5rUuHVbVp
         VaWgP63jOgQbkNuqG/QewF9S6/8eLwpjlk2+IMQHyBT9HHFtLFMvlU/Nq9AZdzeXeB4Z
         QGhflKFo7PXg7dvnDmXjjThCKhvUcmxGNVaA9i/xonOLQr1SChn6iXB1VALxFSZyhS4R
         m7wQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@umn.edu header.s=20160920 header.b=gU7Jiyzj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d32-v6si6614758pla.405.2018.10.29.13.37.06;
        Mon, 29 Oct 2018 13:37:22 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@umn.edu header.s=20160920 header.b=gU7Jiyzj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729734AbeJ3F0w (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Tue, 30 Oct 2018 01:26:52 -0400
Received: from mta-p2.oit.umn.edu ([134.84.196.202]:59368 "EHLO
        mta-p2.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729535AbeJ3F0w (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 Oct 2018 01:26:52 -0400
Received: from localhost (localhost [127.0.0.1])
        by mta-p2.oit.umn.edu (Postfix) with ESMTP id 1B21B238;
        Mon, 29 Oct 2018 20:36:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h=
        content-type:content-type:subject:subject:message-id:date:date
        :from:from:in-reply-to:references:mime-version:received:received
        :received; s=20160920; t=1540845391; x=1542659792; bh=Kt4ncB21bL
        rvWMclY2gefgrpEzuKWPMDRq9XkJg9+KY=; b=gU7Jiyzj+h/0OUCUSL8TE8YShH
        t4/IQ88kpkTLxyEJPrukJchpFx57mLrBwBHnEo9f8MKfxGV3FWRT8GLtZPoVh9dL
        8bjktSRxlwRDCD0QEB1+hsCQArqcCD3ywn9UzTLOgUc2ST1oR0yiKcPnwTXVXXxT
        gd+LAEAuzHRYDBYxMgcYRPsQ5vh2G5KeBSsStJHZ1+Q0ukq90hUQtvd0Y+ErlzdI
        jZCA6NMPEBXCmwfetv5TVSaEhr2i0wy6SACQPE0FSYp4HoOVgaH39O0st94h4P1i
        8NYoaKXR0l70HIpXL3fQ6RwKyzOMEoXyE6Uy7iR6rk3PQjB7ScCf+ggq6Lgw==
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p2.oit.umn.edu ([127.0.0.1])
        by localhost (mta-p2.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id rnxK6bgqXlt9; Mon, 29 Oct 2018 15:36:31 -0500 (CDT)
Received: from mail-it1-f170.google.com (mail-it1-f170.google.com [209.85.166.170])
        (using TLSv1 with cipher AES128-SHA (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: wang6495)
        by mta-p2.oit.umn.edu (Postfix) with ESMTPSA id E55A711F;
        Mon, 29 Oct 2018 15:36:31 -0500 (CDT)
Received: by mail-it1-f170.google.com with SMTP id t4-v6so2832597itf.1;
        Mon, 29 Oct 2018 13:36:31 -0700 (PDT)
X-Gm-Message-State: AGRZ1gIQFw1HEC7tEg3sKmB2WEo3Of1carjLIIKlzVvMQ7G9BeyQvDA9
        v9P3Ta8EUrTQvt++luR6ayyVeI7Oqsu1LEJzRU4=
X-Received: by 2002:a02:142:: with SMTP id c63-v6mr11555418jad.32.1540845391708;
 Mon, 29 Oct 2018 13:36:31 -0700 (PDT)
MIME-Version: 1.0
References: <1538668833-18372-1-git-send-email-wang6495@umn.edu>
In-Reply-To: <1538668833-18372-1-git-send-email-wang6495@umn.edu>
From:   Wenwen Wang <wang6495@umn.edu>
Date:   Mon, 29 Oct 2018 15:35:54 -0500
X-Gmail-Original-Message-ID: <CAAa=b7c6uYQARV80wxWHysHG0otD+8ZQfmq0Q2FMumUKi7BuRg@mail.gmail.com>
Message-ID: <CAAa=b7c6uYQARV80wxWHysHG0otD+8ZQfmq0Q2FMumUKi7BuRg@mail.gmail.com>
Subject: Re: [PATCH] media: davinci_vpfe: fix a NULL pointer dereference bug
To:     Wenwen Wang <wang6495@umn.edu>
Cc:     Kangjie Lu <kjlu@umn.edu>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "open list:STAGING - ATOMISP DRIVER" <linux-media@vger.kernel.org>,
        "open list:STAGING SUBSYSTEM" <devel@driverdev.osuosl.org>,
        open list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello,

Can anyone please confirm this bug and apply the patch? Thanks!

Wenwen

On Thu, Oct 4, 2018 at 11:00 AM Wenwen Wang <wang6495@umn.edu> wrote:
>
> In vpfe_isif_init(), there is a while loop to get the ISIF base address and
> linearization table0 and table1 address. In the loop body, the function
> platform_get_resource() is called to get the resource. If
> platform_get_resource() returns NULL, the loop is terminated and the
> execution goes to 'fail_nobase_res'. Suppose the loop is terminated at the
> first iteration because platform_get_resource() returns NULL and the
> execution goes to 'fail_nobase_res'. Given that there is another while loop
> at 'fail_nobase_res' and i equals to 0, one iteration of the second while
> loop will be executed. However, the second while loop does not check the
> return value of platform_get_resource(). This can cause a NULL pointer
> dereference bug if the return value is a NULL pointer.
>
> This patch avoids the above issue by adding a check in the second while
> loop after the call to platform_get_resource().
>
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
> ---
>  drivers/staging/media/davinci_vpfe/dm365_isif.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/staging/media/davinci_vpfe/dm365_isif.c b/drivers/staging/media/davinci_vpfe/dm365_isif.c
> index 745e33f..b0425a6 100644
> --- a/drivers/staging/media/davinci_vpfe/dm365_isif.c
> +++ b/drivers/staging/media/davinci_vpfe/dm365_isif.c
> @@ -2080,7 +2080,8 @@ int vpfe_isif_init(struct vpfe_isif_device *isif, struct platform_device *pdev)
>
>         while (i >= 0) {
>                 res = platform_get_resource(pdev, IORESOURCE_MEM, i);
> -               release_mem_region(res->start, res_len);
> +               if (res)
> +                       release_mem_region(res->start, res_len);
>                 i--;
>         }
>         return status;
> --
> 2.7.4
>