Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp2410771rwi;
        Fri, 28 Oct 2022 06:51:30 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM78T2xytRv2roYryvegXOxQAqnnDTksPHkkPuxG+15ryHrSb3dL3hAE130S4iazbF+iE6XD
X-Received: by 2002:a17:906:9bc8:b0:7ad:7e6a:50ac with SMTP id de8-20020a1709069bc800b007ad7e6a50acmr12348640ejc.66.1666965089913;
        Fri, 28 Oct 2022 06:51:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666965089; cv=none;
        d=google.com; s=arc-20160816;
        b=PiE/T8L2b9yutwZuHatsshKuna/A9T0EuBGum+ZuCjWAfMYb48+P++zSe74JXG9rgt
         S5bN05li+kIZTx90fVcsrDm8Xf5FRd5ucYmnmOKT252Jo0A82gXtq0gVjUXn9G/ts8Rq
         RSH7VqHwLg9Lbo95GsxgLYHjp1Kmnme52b/ffhHAoeRFl+lEbjI5taiEMTl0j2KGwC6X
         lm01jFSZI7T8jaEK/lHBI2QmCAb/VYTg4CDa7QUhwNPAtEVmRec9Bpft1fpOH7brpKU5
         8tcMfe7tB1C2Z468rMWY4r7GXFnZX4g+usLM2h0ZCiRsjM99Z82C6wGYVKx41OLJkJoI
         gDoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent
         :content-transfer-encoding:references:in-reply-to:date:cc:to:from
         :subject:message-id:dkim-signature;
        bh=OiV4yDZ234QuN2yDkCEr8FG8ifqvvjo3BxYt8scz0B0=;
        b=ztE2UgSNQEMhvHD9vVqlqYOd/7kMaDjSInK2TE9NUujvM75jBk2iOYT2ZbnBaHaC6F
         7clQYN/lidTeCaWkQnFQkgsk+9h0d/KnrsfYD+jbu46wnOkjZ26D22ks3YIagH1Bn9is
         9HYgU1CXDeoEFrhEhuY7v4jTeEJ77Le7ur628ouO+FJU7Xo2BY4X4wn/EdynsBmgETEf
         lvOKr7VV59b6YXaAPcvl3xY9vjVceU57QZkHCnkMZz47htY09xaJ6zRNaaHoLjyoxdQE
         9RiVVHxweu+9L+Rqxy2O5MhuTvLuBQiM1u8wTzDAaultoCV+QeGicyIVxqy3wtAmKvSg
         T7gA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@collabora.com header.s=mail header.b=NFoyMEsU;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id a14-20020a056402168e00b0044615ee1b6fsi3954654edv.218.2022.10.28.06.51.05;
        Fri, 28 Oct 2022 06:51:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@collabora.com header.s=mail header.b=NFoyMEsU;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230199AbiJ1NCv (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Fri, 28 Oct 2022 09:02:51 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48382 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229592AbiJ1NCt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 28 Oct 2022 09:02:49 -0400
Received: from madras.collabora.co.uk (madras.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e5ab])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 80EC81757A6;
        Fri, 28 Oct 2022 06:02:48 -0700 (PDT)
Received: from nicolas-tpx395.localdomain (192-222-136-102.qc.cable.ebox.net [192.222.136.102])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: nicolas)
        by madras.collabora.co.uk (Postfix) with ESMTPSA id 151C1660291B;
        Fri, 28 Oct 2022 14:02:44 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com;
        s=mail; t=1666962166;
        bh=RrGA38kF9uCwoRURHrbUbA5rP3minRYBauW06GkVdAU=;
        h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
        b=NFoyMEsUhXGvmBVAW3ALjq2HZ8/Biw0fHKo/MDNE9ElPw/7r2GTINx78pugexMRUx
         nFH3TFfpwnvS1Uvu9ZnYJwvHAun5T/lTDokvKsDrZ1gJlPlXfipVda2AIGTUkKgOH+
         dyJ3fHj7Vb8xQcx1SGdYX36IDysFKj+BbtVTbzyNQVoVQ0kN5BJ36NNdRRpmR0uUoe
         krI6GGix+CcI2O1JD7zTznOUdhswx12G2ZuQ+ElKjGJ7gNqY736hIsoYzIiqK8Yj6u
         KNpaO3WUAZGM51+1Yxk07l7MnByK6xj+8YFrZIeyEfp9XPFpExrZaoneZ3gKa/S/dz
         LgI7QMwL0KpiQ==
Message-ID: <664bd195bdde7fd740572c4981c60b32de1465aa.camel@collabora.com>
Subject: Re: [PATCH] vcodec: mediatek: add check for NULL for 
 vsi->frm_bufs[vsi->new_fb_idx].buf.fb in vp9_swap_frm_bufs
From:   Nicolas Dufresne <nicolas.dufresne@collabora.com>
To:     Anastasia Belova <abelova@astralinux.ru>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        Matthias Brugger <matthias.bgg@gmail.com>
Cc:     Tiffany Lin <tiffany.lin@mediatek.com>,
        Andrew-CT Chen <andrew-ct.chen@mediatek.com>,
        Yunfei Dong <yunfei.dong@mediatek.com>,
        AngeloGioacchino Del Regno 
        <angelogioacchino.delregno@collabora.com>,
        Hans Verkuil <hverkuil-cisco@xs4all.nl>,
        linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-arm-kernel@lists.infradead.org,
        linux-mediatek@lists.infradead.org, lvc-project@linuxtesting.org
Date:   Fri, 28 Oct 2022 09:02:35 -0400
In-Reply-To: <20221028125811.11340-1-abelova@astralinux.ru>
References: <20221028125811.11340-1-abelova@astralinux.ru>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.44.4 (3.44.4-2.fc36) 
MIME-Version: 1.0
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

Le vendredi 28 octobre 2022 =C3=A0 15:58 +0300, Anastasia Belova a =C3=A9cr=
it=C2=A0:
> If vsi->frm_bufs[vsi->new_fb_idx].buf.fb =3D=3D NULL while cleaning
> fb_free_list NULL-pointer is dereferenced.
>=20
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>=20
> Fixes: f77e89854b3e ("[media] vcodec: mediatek: Add Mediatek VP9 Video De=
coder Driver")
>=20
> Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
> ---
>  drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_if.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>=20
> diff --git a/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_if.c b/=
drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_if.c
> index 70b8383f7c8e..b0679aaf6192 100644
> --- a/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_if.c
> +++ b/drivers/media/platform/mediatek/vcodec/vdec/vdec_vp9_if.c
> @@ -512,7 +512,7 @@ static void vp9_swap_frm_bufs(struct vdec_vp9_inst *i=
nst)
>  	 * clean fb_free_list
>  	 */
>  	if (vsi->frm_bufs[vsi->new_fb_idx].ref_cnt =3D=3D 0) {
> -		if (!vp9_is_sf_ref_fb(
> +		if (vsi->frm_bufs[vsi->new_fb_idx].buf.fb !=3D NULL && !vp9_is_sf_ref_=
fb(
>  			inst, vsi->frm_bufs[vsi->new_fb_idx].buf.fb)) {
>  			struct vdec_fb *fb;

Perhaps we could try and maintain some readability ? I'd suggest to move th=
e
check into vp9_is_sf_ref_fb() as an early return.

Nicolas