Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3536966pxb; Mon, 24 Jan 2022 11:40:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJzIh38J/IFSqY/4fYi33016MQCUGMsbTIKanyUUyJazIhWiXKuDeEUfR95CQ5qpo5lzMaqy X-Received: by 2002:a05:6a00:1a86:b0:4c1:3039:16a6 with SMTP id e6-20020a056a001a8600b004c1303916a6mr15076993pfv.5.1643053256075; Mon, 24 Jan 2022 11:40:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643053256; cv=none; d=google.com; s=arc-20160816; b=Zh7Qc0XsSyy39M9eHNrdzQBHfYFQG6eHkORqQf1wr68BOoGD0sgglYnxBKANb6lRa6 XD0/V/DsIEyDap96dUANpA8XIVcEVcM9BILvOa7YE44DFeZnTF+EMLHsBBy93tCbvivD sFkJ4DW23Lm+Z53t2yN2QADMKL8+BOpzAnqkdZmEHpU/crKcCCxOzplHfFKyvNWQM4i2 mHz/5b6JM5WM7AHoxbgZInW8PytmFooxAqYMhMXCzCB0EBCFcWttqDB9D5NJo0d9y2jc 037LCTPc4zUqQcITHExjyckJGC9t1b7BQtYlPN+OF2AymFUO1qEpsZTJRXcbbyk/JDvw 1fhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter :dmarc-filter; bh=h2JRhxJChDjEc19BlDKaMcq9FWna7cgcELD3wcsjdNU=; b=O2Echm/q0pl1WUysHgdZonlALtNC52EKmFQQFSxC+Yccowgb6MySj7GcSlSWM95nTS y0x7npJw3h2pLjQktBuLRoX3KHY1pMASxaZLfxqAqAPro4qUuh38uD69QwANcZ/WXjlH vBsWDEvmRKul6gbJKF+IuDg0ZOHpxWdlpTwDSXJPvSyRfld9KLrzLWZ36eIf+P9I5e0O CP6R3UeJg5Dp4ifOiBKd+QWz0ytfyTmNoEttBs/u9q2wMrwvWQ1o3x4Ro0gWwQSzdB5l DuEP8n6MpHsanpDVAjl8xPlxpQcG7Y/P1AXs6SjC43wR+rnmnusktiPOkBND5Bs8e11i ScYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b="cLr2eZY/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r18si2793675plr.253.2022.01.24.11.40.43; Mon, 24 Jan 2022 11:40:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b="cLr2eZY/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244338AbiAXRUK (ORCPT + 99 others); Mon, 24 Jan 2022 12:20:10 -0500 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:38860 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241556AbiAXRUI (ORCPT ); Mon, 24 Jan 2022 12:20:08 -0500 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 4JjGvW11dCz9vBsQ for ; Mon, 24 Jan 2022 17:20:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZXRdBEmTkrWY for ; Mon, 24 Jan 2022 11:20:07 -0600 (CST) Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com [209.85.214.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 4JjGvV64PLz9vBrg for ; Mon, 24 Jan 2022 11:20:06 -0600 (CST) DMARC-Filter: OpenDMARC Filter v1.3.2 mta-p7.oit.umn.edu 4JjGvV64PLz9vBrg DKIM-Filter: OpenDKIM Filter v2.11.0 mta-p7.oit.umn.edu 4JjGvV64PLz9vBrg Received: by mail-pl1-f199.google.com with SMTP id u14-20020a170902714e00b0014ace69caccso3689998plm.17 for ; Mon, 24 Jan 2022 09:20:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=h2JRhxJChDjEc19BlDKaMcq9FWna7cgcELD3wcsjdNU=; b=cLr2eZY/tB17jFSJpyIuavnaaKRSot65n47sX4pg2kXWeHCNNiNv0NxQP5piROKKIX PHvIByc4s0VikEHclosLcdrBdQMbKRcWLR0InVEWc1sOLIVpmvjxlQW3Cu7QT5/jPWsN kBgbUJd9UOADE4XYM/zR28Q4DDeDvgrPj76RIXiIRr2WhqVRRcy9uPTEI4cj65roLvIe dkv+NGn5xwg3osmJ4DJ2NLOYfH5938mUPLDa0mgkTmVp1FbtVEezVawTbdcyktJW+frE p4z288MAJRvsm8kUDMcO3BVXJclG9OKEal6fRwRxh8aqLBp4CtxYoyPwF6Lh+qaOnEHX rmXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=h2JRhxJChDjEc19BlDKaMcq9FWna7cgcELD3wcsjdNU=; b=GrV9O/j/6MhieMbXANML1aN+EyaxtgEsHCeiK9NeYtaNS+P8JVKxuazKPbdUK57i4c aDqu1dDTseHIyTtm75uLQT9OmSXBEBofr4ymP2X4mG6ko2VQCdwBKxvfaa/lroene+zK cLgDXJUxkvJOZyae+UzdDQbQmW1SnZ7sNxMkkHIMPks4GXDuwELqgKw1X+bppidK1umQ c/aFZKosXhqd4tMkGjMGAawEuS2Leif3qHmpCRg4jU4ljAUzwR5FOkRryViOrCP2nCie giRl7bX+9/yfTPV96IEwiKeAPcqExvTheJdaPLuwuwkILjKi+TXUjM1w+yT4iFet+4t9 /o8g== X-Gm-Message-State: AOAM533FQ2i/ttk7rBpB7OQaYfmWiJljWAh6blFM2ntcVqt88yBzrzLG zghfx7ioRV+dgEo6aS8MH4mLXkGlBxe4Pvoiv2bQYXfEX5ypVlQ9+PXPtYVwuDfUG1ubkmrffFr 2+dARZYj7BxB+9IYZ4nGr+lYLFZCZ X-Received: by 2002:a63:fe10:: with SMTP id p16mr12354431pgh.546.1643044805995; Mon, 24 Jan 2022 09:20:05 -0800 (PST) X-Received: by 2002:a63:fe10:: with SMTP id p16mr12354417pgh.546.1643044805734; Mon, 24 Jan 2022 09:20:05 -0800 (PST) Received: from zqy787-GE5S.lan ([36.4.61.248]) by smtp.gmail.com with ESMTPSA id u9sm17604761pfi.14.2022.01.24.09.20.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jan 2022 09:20:05 -0800 (PST) From: Zhou Qingyang To: zhou1615@umn.edu Cc: kjlu@umn.edu, Benoit Parrot , Mauro Carvalho Chehab , Hans Verkuil , Laurent Pinchart , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats() Date: Tue, 25 Jan 2022 01:20:01 +0800 Message-Id: <20220124172001.62457-1-zhou1615@umn.edu> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to fw and there is a dereference of it after that, which could lead to NULL pointer dereference on failure of devm_kzalloc(). Fix this bug by adding a NULL check of ctx->active_fmt. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: 7168155002cf ("media: ti-vpe: cal: Move format handling to cal.c and expose helpers") Signed-off-by: Zhou Qingyang -- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. drivers/media/platform/ti-vpe/cal-video.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/platform/ti-vpe/cal-video.c b/drivers/media/platform/ti-vpe/cal-video.c index 7799da1cc261..3e936a2ca36c 100644 --- a/drivers/media/platform/ti-vpe/cal-video.c +++ b/drivers/media/platform/ti-vpe/cal-video.c @@ -823,6 +823,9 @@ static int cal_ctx_v4l2_init_formats(struct cal_ctx *ctx) /* Enumerate sub device formats and enable all matching local formats */ ctx->active_fmt = devm_kcalloc(ctx->cal->dev, cal_num_formats, sizeof(*ctx->active_fmt), GFP_KERNEL); + if (!ctx->active_fmt) + return -ENOMEM; + ctx->num_active_fmt = 0; for (j = 0, i = 0; ; ++j) { -- 2.25.1