The variable 'asd', which may be NULL, is dereferenced before check. The problem has been fixed by the following patch which can be cleanly applied to the 5.10 branch.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
From: Tsuchiya Yuto kitakar@gmail.com
commit ac56760a8bbb4e654b2fd54e5de79dd5d72f937d upstream.
There are two occurrences where the variable 'asd' is dereferenced before check. Fix this issue by using the variable after the check.
Link: https://lore.kernel.org/linux-media/20211122074122.GA6581@kili/
Link: https://lore.kernel.org/linux-media/20211201141904.47231-1-kitakar@gmail.com Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Tsuchiya Yuto kitakar@gmail.com Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org Signed-off-by: Anastasia Belova abelova@astralinux.ru --- drivers/staging/media/atomisp/pci/atomisp_cmd.c | 3 ++- drivers/staging/media/atomisp/pci/atomisp_ioctl.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/media/atomisp/pci/atomisp_cmd.c b/drivers/staging/media/atomisp/pci/atomisp_cmd.c index 20c19e08968e..613bd9620224 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_cmd.c +++ b/drivers/staging/media/atomisp/pci/atomisp_cmd.c @@ -5243,7 +5243,7 @@ static int atomisp_set_fmt_to_isp(struct video_device *vdev, int (*configure_pp_input)(struct atomisp_sub_device *asd, unsigned int width, unsigned int height) = configure_pp_input_nop; - u16 stream_index = atomisp_source_pad_to_stream_id(asd, source_pad); + u16 stream_index; const struct atomisp_in_fmt_conv *fc; int ret, i;
@@ -5252,6 +5252,7 @@ static int atomisp_set_fmt_to_isp(struct video_device *vdev, __func__, vdev->name); return -EINVAL; } + stream_index = atomisp_source_pad_to_stream_id(asd, source_pad);
v4l2_fh_init(&fh.vfh, vdev);
diff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c index 8a0648fd7c81..4615e4cae718 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c @@ -1123,7 +1123,7 @@ int __atomisp_reqbufs(struct file *file, void *fh, struct ia_css_frame *frame; struct videobuf_vmalloc_memory *vm_mem; u16 source_pad = atomisp_subdev_source_pad(vdev); - u16 stream_id = atomisp_source_pad_to_stream_id(asd, source_pad); + u16 stream_id; int ret = 0, i = 0;
if (!asd) { @@ -1131,6 +1131,7 @@ int __atomisp_reqbufs(struct file *file, void *fh, __func__, vdev->name); return -EINVAL; } + stream_id = atomisp_source_pad_to_stream_id(asd, source_pad);
if (req->count == 0) { mutex_lock(&pipe->capq.vb_lock);
On Tue, Jun 27, 2023 at 01:23:34PM +0300, Anastasia Belova wrote:
From: Tsuchiya Yuto kitakar@gmail.com
commit ac56760a8bbb4e654b2fd54e5de79dd5d72f937d upstream.
There are two occurrences where the variable 'asd' is dereferenced before check. Fix this issue by using the variable after the check.
Link: https://lore.kernel.org/linux-media/20211122074122.GA6581@kili/
Link: https://lore.kernel.org/linux-media/20211201141904.47231-1-kitakar@gmail.com Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Tsuchiya Yuto kitakar@gmail.com Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org Signed-off-by: Anastasia Belova abelova@astralinux.ru
drivers/staging/media/atomisp/pci/atomisp_cmd.c | 3 ++- drivers/staging/media/atomisp/pci/atomisp_ioctl.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-)
Now queued up, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Anastasia Belova -
Greg Kroah-Hartman