From c8c80c996182239ff9b05eda4db50184cf3b2e99 Mon Sep 17 00:00:00 2001

From: Jiasheng Jiang <jiasheng@iscas.ac.cn>

Date: Thu, 13 Jan 2022 07:59:28 +0100

Subject: [PATCH] media: meson: vdec: potential dereference of null pointer

Git-commit: c8c80c996182239ff9b05eda4db50184cf3b2e99

Patch-mainline: v5.18-rc1

References: CVE-2022-3112 bsc#1206399

As the possible failure of the kzalloc(), the 'new_ts' could be NULL

pointer.

Therefore, it should be better to check it in order to avoid the

dereference of the NULL pointer.

Also, the caller esparser_queue() needs to deal with the return value of

the amvdec_add_ts().

Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")

Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>

Suggested-by: Neil Armstrong <narmstrong@baylibre.com>

Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>

Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/staging/media/meson/vdec/esparser.c     |    7 ++++++-

 drivers/staging/media/meson/vdec/vdec_helpers.c |    8 ++++++--

 drivers/staging/media/meson/vdec/vdec_helpers.h |    2 +-

 3 files changed, 13 insertions(+), 4 deletions(-)

--- a/drivers/staging/media/meson/vdec/esparser.c

+++ b/drivers/staging/media/meson/vdec/esparser.c

@@ -200,7 +200,12 @@ esparser_queue(struct amvdec_session *se

 	offset = esparser_get_offset(sess);

-	amvdec_add_ts_reorder(sess, vb->timestamp, offset);

+	ret = amvdec_add_ts_reorder(sess, vb->timestamp, offset);

+	if (ret) {

+		v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);

+		return ret;

+	}

+

 	dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X\n",

 		vb->timestamp, payload_size, offset);

--- a/drivers/staging/media/meson/vdec/vdec_helpers.c

+++ b/drivers/staging/media/meson/vdec/vdec_helpers.c

@@ -200,12 +200,15 @@ int amvdec_set_canvases(struct amvdec_se

 }

 EXPORT_SYMBOL_GPL(amvdec_set_canvases);

-void amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset)

+int amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset)

 {

 	struct amvdec_timestamp *new_ts, *tmp;

 	unsigned long flags;

-	new_ts = kmalloc(sizeof(*new_ts), GFP_KERNEL);

+	new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);

+	if (!new_ts)

+		return -ENOMEM;

+

 	new_ts->ts = ts;

 	new_ts->offset = offset;

@@ -225,6 +228,7 @@ add_tail:

 	list_add_tail(&new_ts->list, &sess->timestamps);

 unlock:

 	spin_unlock_irqrestore(&sess->ts_spinlock, flags);

+	return 0;

 }

 EXPORT_SYMBOL_GPL(amvdec_add_ts_reorder);

--- a/drivers/staging/media/meson/vdec/vdec_helpers.h

+++ b/drivers/staging/media/meson/vdec/vdec_helpers.h

@@ -50,7 +50,7 @@ void amvdec_dst_buf_done_offset(struct a

  * @ts: timestamp to add

  * @offset: offset in the VIFIFO where the associated packet was written

  */

-void amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset);

+int amvdec_add_ts_reorder(struct amvdec_session *sess, u64 ts, u32 offset);

 void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);

 /**