From patchwork Thu Oct 4 16:00:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenwen Wang X-Patchwork-Id: 52349 X-Patchwork-Delegate: laurent.pinchart@ideasonboard.com Received: from vger.kernel.org ([209.132.180.67]) by www.linuxtv.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g863a-0002b6-5S; Thu, 04 Oct 2018 16:00:54 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727557AbeJDWyk (ORCPT + 1 other); Thu, 4 Oct 2018 18:54:40 -0400 Received: from mta-p7.oit.umn.edu ([134.84.196.207]:33522 "EHLO mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727526AbeJDWyk (ORCPT ); Thu, 4 Oct 2018 18:54:40 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id A528311CF for ; Thu, 4 Oct 2018 16:00:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ytCTDQjPHvN8 for ; Thu, 4 Oct 2018 11:00:45 -0500 (CDT) Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 7224211DE for ; Thu, 4 Oct 2018 11:00:45 -0500 (CDT) Received: by mail-io1-f69.google.com with SMTP id t22-v6so7840113ioc.20 for ; Thu, 04 Oct 2018 09:00:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=Ie3cKh7tyt3QXvlrAGVJ8y4Hy36L8S8XML8eOFURSKY=; b=ZIc2Vd1GrGTeCPPGrR1W13bRcX/GOrEL7m8+n0Tt9tSZkllE5dtrj23OoWtKIj6s3+ TSwxvJS4qaSp98XUTeyOvcFYe94BVxABr0AaMoyZSggxIvT4Mzrnt0+xKGmZdHhw86ZK z+kDUmHF7ynLDz70Pnn3MdJ0KPw7XTZZBWRMJ5oEKzQ+l26SC7IaGASRf4P+/on7eSsB KMhHjQo374e8Mi2uo9p45TlkC986OV3Sam7xakMPwjUvIoAeFYGg1BmLegnhYgT/QcLX gW21m5TzT2fWsQCBLHuh86/P8GlyPh354gJUhfVEL+IIrH/b6yL+gwujHylCTm3mdc/G DcMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Ie3cKh7tyt3QXvlrAGVJ8y4Hy36L8S8XML8eOFURSKY=; b=uiSx604utR+KB7p4rkqWbw+JG9xK09NQ7rhJB62zljcA5nmJEfZ94wEmMaePKg837d mL2cCK5tFkeV2X2Ah0CGXx3eJfxxwmZCa6wKSuwFS4RGcfHIltLRDRvruhIBfsSZAmA9 ZDWprMhArd5TfkbwePhuKe1fXftc7I1FjyD6uf/ESDEx3T5vOjJk4WtiFiIfVGyI/YPp EUjQNZYmnQfOctNQXwCw741WB0J1Uj4JTZJq2ROm4Gvd4QOk6kjXS0Y0cCnWljJQVUrR uOKtpHYvQ6Vy1QRq9jRM7j34AYp1CX5AEL8RRifU086fw7OO+ziGo9wkZ6hD3lEinqLX lSDA== X-Gm-Message-State: ABuFfojQm/bLpxshnepQpMPZO0m+MnT6HUZcw+ICbPqnvcBp+EbYDKp5 9TGuV3z601y+Qd3XulVELTiGZpdkqmp5oyqqZnw1lU2flKCrCHSSDUiHTxjQcg7tpBMvubsEGXS J091cE853iUK2U4jH0P8Zj7w7wCg= X-Received: by 2002:a02:238f:: with SMTP id u137-v6mr5702302jau.0.1538668845124; Thu, 04 Oct 2018 09:00:45 -0700 (PDT) X-Google-Smtp-Source: ACcGV60+skhG7cj7TF9eMlqQnjgBQseKEUJl+gCJQfHjir12PsmEQOlElYLiWwPfIZq1lQCAnDxPGg== X-Received: by 2002:a02:238f:: with SMTP id u137-v6mr5702281jau.0.1538668844884; Thu, 04 Oct 2018 09:00:44 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id f15-v6sm2225553ita.24.2018.10.04.09.00.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 04 Oct 2018 09:00:44 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Mauro Carvalho Chehab , Greg Kroah-Hartman , linux-media@vger.kernel.org (open list:MEDIA INPUT INFRASTRUCTURE (V4L/DVB)), devel@driverdev.osuosl.org (open list:STAGING SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] media: davinci_vpfe: fix a NULL pointer dereference bug Date: Thu, 4 Oct 2018 11:00:31 -0500 Message-Id: <1538668833-18372-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org In vpfe_isif_init(), there is a while loop to get the ISIF base address and linearization table0 and table1 address. In the loop body, the function platform_get_resource() is called to get the resource. If platform_get_resource() returns NULL, the loop is terminated and the execution goes to 'fail_nobase_res'. Suppose the loop is terminated at the first iteration because platform_get_resource() returns NULL and the execution goes to 'fail_nobase_res'. Given that there is another while loop at 'fail_nobase_res' and i equals to 0, one iteration of the second while loop will be executed. However, the second while loop does not check the return value of platform_get_resource(). This can cause a NULL pointer dereference bug if the return value is a NULL pointer. This patch avoids the above issue by adding a check in the second while loop after the call to platform_get_resource(). Signed-off-by: Wenwen Wang --- drivers/staging/media/davinci_vpfe/dm365_isif.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/media/davinci_vpfe/dm365_isif.c b/drivers/staging/media/davinci_vpfe/dm365_isif.c index 745e33f..b0425a6 100644 --- a/drivers/staging/media/davinci_vpfe/dm365_isif.c +++ b/drivers/staging/media/davinci_vpfe/dm365_isif.c @@ -2080,7 +2080,8 @@ int vpfe_isif_init(struct vpfe_isif_device *isif, struct platform_device *pdev) while (i >= 0) { res = platform_get_resource(pdev, IORESOURCE_MEM, i); - release_mem_region(res->start, res_len); + if (res) + release_mem_region(res->start, res_len); i--; } return status;