Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3535317pxb; Mon, 24 Jan 2022 11:38:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJz64J7rmeFAUB3dkyyO5qbv2Q7n8YOJM44tDHhdj57Sj4SXU9pxRZ60d14eL18cXY10v45X X-Received: by 2002:a17:90a:d488:: with SMTP id s8mr3355459pju.90.1643053108970; Mon, 24 Jan 2022 11:38:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643053108; cv=none; d=google.com; s=arc-20160816; b=lpBv8f/PKqcQs1rBJgTkKiQMcgBqHc/JF51bK/qfuTkQKJv8FCPQrHhDEgoJ8w0Hpa GSiqnrnCm1N1cHN75Uy2TgzLHErRLrXiuWGlHRpMxc6/qTV6UP7eudUnD9YQuPsw2Qf8 crNPIvEOo3tJrZ5LaGxxpCpIJtu90QyNEm/+YNCPzl4wwWYC7aB87aLsAIWAYnPfjwbK jnl60N1LAWFBmPYDsSTji93KMgZUm4GLxFpVBqYuwF3T0OPjAI+f9R45QtugTSXvH+6a DUhhGTStDKfbiNwyYchT0DbmRULR6nkJ9RSW0RuEB7WIahJ+pTyWO4tw+9bMaSgKciH7 fetQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter :dmarc-filter; bh=D23ajDKPfP8QvM0YyxuxxxoHL0XAqyQacaTbHEKBa1U=; b=Fp4Ku7VQJAqJKNvIq/A/arpRqhBBpHY3LgpUTaC83u0lupNb2+MfN55WDIXwR5vicN gqJGrh0Y9RAAyNo9uv+Z1oyOjmj/Yf9zENiJ9/XE57v+KiRMi3/QHSBh1sXGKWkpYzip UItvJ4gBdacEd806dpHONu+kvVds3vDGXMITLjQcrumCVeAg6Y8Wtp9h1F7pm3deSnHu HJtWBMvF6YiVl+SPMFv80Hhy2JgnXmTET/mjwyUeV1VVNjmUMOyc7TyAwKwOeakfT8FL D1W1VKs18vDrsxSX8R7wO0NWvp1mVcDpqDjwNlO3tH+Qee40CH2FSAfPzQRg2rnDyNQd 8ykw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b="MmTL/cIo"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v201si10301014pfc.5.2022.01.24.11.38.15; Mon, 24 Jan 2022 11:38:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b="MmTL/cIo"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241326AbiAXRGU (ORCPT + 99 others); Mon, 24 Jan 2022 12:06:20 -0500 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:44980 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231960AbiAXRGT (ORCPT ); Mon, 24 Jan 2022 12:06:19 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 4JjGbb0Bdvz9vFJR for ; Mon, 24 Jan 2022 17:06:19 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eihr9kFL2Wj8 for ; Mon, 24 Jan 2022 11:06:18 -0600 (CST) Received: from mail-pj1-f72.google.com (mail-pj1-f72.google.com [209.85.216.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 4JjGbZ5FlBz9vFJM for ; Mon, 24 Jan 2022 11:06:18 -0600 (CST) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p5.oit.umn.edu 4JjGbZ5FlBz9vFJM DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p5.oit.umn.edu 4JjGbZ5FlBz9vFJM Received: by mail-pj1-f72.google.com with SMTP id k2-20020a17090a658200b001b399622095so231300pjj.9 for ; Mon, 24 Jan 2022 09:06:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=D23ajDKPfP8QvM0YyxuxxxoHL0XAqyQacaTbHEKBa1U=; b=MmTL/cIojmZDn33VxiqZAJP6Nensh1IfyZjvD8gUhgT4jen9mvPfliWE5ilCkxYRhR Zdf/gGZ0sbPinbGLHoAZKsdtaRAETLUMnP10tLyKqMQDmQxqQ3tNPUn9QoxmL7mpeJKB BCZeDosFWW9qiZ7UXad8ceFZ/ApuNGdcn0y/Mc+e1PQZzAHDMrXrHumLEG7y8g7PTIjD gbvDhgQUJEAa0EYVlUTDvXX3MVzH8f55U4Kn91Rx9tkZQgpv225mhqiQJ2RH6p7FURdf kXqkcFj9oSveEaMwnQ3kTy7wvOx8i3JQQvSCskmPEmDhZXYkn8jlavnLLbmN+hKqUubQ OkMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=D23ajDKPfP8QvM0YyxuxxxoHL0XAqyQacaTbHEKBa1U=; b=yhqTG1lLnagSw+iLR7DoZc4Fd2Or4JcUGNZ0NpW72/D61wyLFoT4IyZpeNpSpJEJDV EQjpnERYeDPjidu4rfB3chQN3OaOj1yBjUaccxg5OApQtJWavfS07865zUHAh0Zd1Kux xauWh3csUWvPEBpjCDzqeb0HVCFIcaJmiw11WKbN5qhsSusjchi5SdqmsBThEkmvfRkM UqErCQyZKevHDY/w/f6ZM3KMifNTNAMjDW1hGrzJQyMAKNxzR6kz3ypDUFpOvMsRsZ/S +95p5f+f/oH70l16HVj5N9XAhkufaEE7fZz2On+x2iClPCQfX+CrzkybuU9gXhnuYBpl I8TQ== X-Gm-Message-State: AOAM5312E0UTRxCsgPvbyAVCtMC+Us3v4WSTO39dr5mOuMVW7jjTew4C IbqVqiPzs5Uq6Hx1LeosyO7R1g+zSbLCbH7eViGudd4XDj30iLUrGWePocueOerHcIdj9TtMwJa Adl5LPaDQoxFjJxNg0ttGO0WYpI/u X-Received: by 2002:a63:7f4d:: with SMTP id p13mr12133882pgn.29.1643043977988; Mon, 24 Jan 2022 09:06:17 -0800 (PST) X-Received: by 2002:a63:7f4d:: with SMTP id p13mr12133863pgn.29.1643043977708; Mon, 24 Jan 2022 09:06:17 -0800 (PST) Received: from zqy787-GE5S.lan ([36.4.61.248]) by smtp.gmail.com with ESMTPSA id pi1sm6001094pjb.10.2022.01.24.09.06.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jan 2022 09:06:17 -0800 (PST) From: Zhou Qingyang To: zhou1615@umn.edu Cc: kjlu@umn.edu, Mauro Carvalho Chehab , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] media: media/pci: Fix a NULL pointer dereference in cx23885_417_register() Date: Tue, 25 Jan 2022 01:06:10 +0800 Message-Id: <20220124170611.58864-1-zhou1615@umn.edu> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In cx23885_417_register(), the return value of cx23885_video_dev_alloc() is assigned to dev->v4l_device() and there is a dereference of it after that. the return value of cx23885_video_dev_alloc() could be NULL on failure of allocation, which could lead to a NULL pointer dereference. Fix this bug by adding a NULL check of dev->v4l_device. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: 453afdd9ce33 ("[media] cx23885: convert to vb2") Signed-off-by: Zhou Qingyang --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. drivers/media/pci/cx23885/cx23885-417.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/pci/cx23885/cx23885-417.c b/drivers/media/pci/cx23885/cx23885-417.c index 434677bd4ad1..fcc9c1117ed1 100644 --- a/drivers/media/pci/cx23885/cx23885-417.c +++ b/drivers/media/pci/cx23885/cx23885-417.c @@ -1521,6 +1521,8 @@ int cx23885_417_register(struct cx23885_dev *dev) /* Allocate and initialize V4L video device */ dev->v4l_device = cx23885_video_dev_alloc(tsport, dev->pci, &cx23885_mpeg_template, "mpeg"); + if (!dev->v4l_device) + return -ENOMEM; q = &dev->vb2_mpegq; q->type = V4L2_BUF_TYPE_VIDEO_CAPTURE; q->io_modes = VB2_MMAP | VB2_USERPTR | VB2_DMABUF | VB2_READ; -- 2.25.1