drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c | 7 +++++++ 1 file changed, 7 insertions(+)
Add the check for the return value of the ida_alloc in order to avoid
NULL pointer dereference.
Moreover, free allocated "ctx->id" if mdp_m2m_open fails later in order
to avoid memory leak.
Fixes: 61890ccaefaf ("media: platform: mtk-mdp3: add MediaTek MDP3 driver")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
---
Changelog:
v2 -> v3:
1. Fix the goto label.
v1 -> v2:
1. Fix the check for the ida_alloc.
---
drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c
index 5f74ea3b7a52..a2d204e90aa4 100644
--- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c
+++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c
@@ -567,6 +567,11 @@ static int mdp_m2m_open(struct file *file)
}
ctx->id = ida_alloc(&mdp->mdp_ida, GFP_KERNEL);
+ if (ctx->id < 0) {
+ ret = ctx->id;
+ goto err_unlock_mutex;
+ }
+
ctx->mdp_dev = mdp;
v4l2_fh_init(&ctx->fh, vdev);
@@ -617,6 +622,8 @@ static int mdp_m2m_open(struct file *file)
v4l2_fh_del(&ctx->fh);
err_exit_fh:
v4l2_fh_exit(&ctx->fh);
+ ida_free(&mdp->mdp_ida, ctx->id);
+err_unlock_mutex:
mutex_unlock(&mdp->m2m_lock);
err_free_ctx:
kfree(ctx);
--
2.25.1
Il 09/02/23 10:25, Jiasheng Jiang ha scritto: > Add the check for the return value of the ida_alloc in order to avoid > NULL pointer dereference. > Moreover, free allocated "ctx->id" if mdp_m2m_open fails later in order > to avoid memory leak. > > Fixes: 61890ccaefaf ("media: platform: mtk-mdp3: add MediaTek MDP3 driver") > Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> > --- > Changelog: > > v2 -> v3: > > 1. Fix the goto label. > > v1 -> v2: > > 1. Fix the check for the ida_alloc. > --- > drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c > index 5f74ea3b7a52..a2d204e90aa4 100644 > --- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c > +++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-m2m.c > @@ -567,6 +567,11 @@ static int mdp_m2m_open(struct file *file) > } > > ctx->id = ida_alloc(&mdp->mdp_ida, GFP_KERNEL); > + if (ctx->id < 0) { There's one main not-so-minor issue here: ctx->id is u32. Unsigned types cannot evaluate less than zero: they're .. unsigned! There's your fix: ret = ida_alloc ... if (ret) .... ctx->id = ret; Enjoy. Regards, Angelo
© 2016 - 2024 Red Hat, Inc.