From nobody Mon Jun 8 06:36:10 2026 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 428BF2F5491 for ; Sat, 6 Jun 2026 04:07:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780718864; cv=none; b=e+GP2Akni/kVXhcoECS3sT4GSPlqAli1CNdw6ghxIVfXOVOgo6Am0vIJNw9Qp7s83EQAxVEKWsanXXBuIWurN2epj0RbC6HKr0E1F6KhblUao3a7d7aT8GI2wPOaZmHsWV4VOAtWi/6MDNgbkq1DgUwVEXCTd0Q5NYuBrr3s6rM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780718864; c=relaxed/simple; bh=9x7dw6AGeMKh1Bn92NV9sKxESMgeC0e3t78u9dvb9bA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=VLsu36ymVne4kv/qY8+4CR6JMCct7Cm3JM3z/JXG7Hvxoqwtflvc93c1s/zH03qTTZyZfuyl9v7mz2Q+U98Hp4ZDuzIG92mAJ5jeHrIozVSb5j7vaobEwZS6tBufccD91A/SU6DPR3opeWfCJgt6r0yFvFO700Eu5xKACOVrnT4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=o8FcU1pr; arc=none smtp.client-ip=209.85.215.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="o8FcU1pr" Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-c8585ecdd71so974280a12.0 for ; Fri, 05 Jun 2026 21:07:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780718862; x=1781323662; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=BL2rDzljN+JUju+bXJw3h26H68MI0w3fOTjMRKuD/Zw=; b=o8FcU1prgprO3Xy2eDkLKuwWPIpcN/lweHFbOBL4hYiemBOCdITAgyv2FtqP7WQqX/ IhPvQktKNZYJOBTC/TSGPanX6YAsRfDulfz3UFtz06NqctSZPhx02RXhSsReioVuFLPz qmLcv2SHicTKuq6a3aZoZa/kr6UI5QDkOl1eyE6V3aXxJgACv5UDiERFQdYX/TMP85En D1e0Ay/OTQRTz1IpfmjlQVd1HGh0y93XsrF8hMlQLWZeK8H4X291MWvK6UBH9N1VDbQ4 dzfEfVkq3FiON4YD7ejaVs9/7OxtZwF9U2NA6qyNvCUsyXEACr2gWf6/QXv5+7mkyDrt wDwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780718862; x=1781323662; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=BL2rDzljN+JUju+bXJw3h26H68MI0w3fOTjMRKuD/Zw=; b=oiLy/2h3AeT2s6g/+h4P5Cye5doGIxVBjHzURq0g3u/2/GuKHSPvirUB2gh+vZI9oB 5m7ioMpJxx32t9ysbwbrUGfLV13PfzFPjTWx/aEyL0KWPut9yeOMFO4nAgFz6fO45C+C kTxb29PBnhSLLCiSUaJq87ePeouJVQST6FnwekEMIAdESpPPTuOQi5HualN3jFa87O5d 7D/8chII64GzUGMfwdzC6vFLT/r+wMm/kulS/5sTPVa9FnyWjFUcxkSyt6++hSzK8m8K +Bt7U0HvptPC5hpAzS4Q+WtqKAulJwQiH/NW3UFfiMebKz8Fg2XdORcO2xhjQGiW8yLs 6lwg== X-Forwarded-Encrypted: i=1; AFNElJ/sp7+3SfQpMyMrCsu6qVBStXqSEHeQvTfbKhgrL0Exgxt08tmAOe7RWPSNTEpq3Y0pXEenho3CT8gs3rU=@vger.kernel.org X-Gm-Message-State: AOJu0Yx9aL2k9KiMPS+hV7K7PypEGgoi9CBy53Hftl+Fj2REiI5KH9/6 hlLVdQD++4kkBlMk49hvUyObaOen7Ce2T9+DTN0v0pet+InEWDiA0sLQ X-Gm-Gg: Acq92OFqeMm0WrmzbRWTY4tFgWLax7kfaZV0ZKnD3IiNmNNdb7jXIIpYDhFaFWQnFNy VBVJH3a1FHlcC2XDvFSvXswEnHb0ZbO72+RrycqW3yp++x5PV4Ce5RhWIN1VPxmKwYUAVmMjok9 jNmkkSUj/kSNgi2xPHoGoUyS91D3g9meEUx0UTlEpRW0ltSXgyBZSxa1BFo11ndAfslTgmd8/TB 83tOa4jptcMvZgOBf0/0uRqwogxjj/akgPaVH/2yU4G4IJLenpCLgKnTaslnAxzCIRfTgqPnM7Y Xhn7q4eoa8cArjPCZdnF9ym2eAPOpH8hmdzvtLXCNntwmuPb7Fg5lL+OMj0457tEmi9OGdGEqWf o9PS56a1aHanNm7yjsfBzGXQ2LMuEpm6ZBZU6DHJIsBnZiIwQNsBy/pQSWu5TNilMS7FdtKObPz tAk8D71jo/wk0yy1cz25l+/V1hDwqFrTJZHNgWR9ik7AQK0ZLLG/Hg9eUSX3uJF1gq X-Received: by 2002:a05:6a20:7483:b0:3b4:65ac:e2ed with SMTP id adf61e73a8af0-3b4cccfde75mr8758914637.2.1780718862406; Fri, 05 Jun 2026 21:07:42 -0700 (PDT) Received: from haichao.tail057a43.ts.net ([2001:da8:e000:1206:967f:7ce4:ec98:f08b]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85df0b2ddbsm9042027a12.24.2026.06.05.21.07.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 21:07:42 -0700 (PDT) From: Ruoyu Wang To: Vikash Garodia Cc: Dikshita Agarwal , Abhinav Kumar , "Bryan O'Donoghue" , Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, Ruoyu Wang Subject: [PATCH] media: iris: check decoder format allocations Date: Sat, 6 Jun 2026 12:07:36 +0800 Message-ID: <20260606040736.13-1-ruoyuw560@gmail.com> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" iris_vdec_inst_init() allocates the source and destination v4l2_format structures and then immediately writes fields through inst->fmt_src and inst->fmt_dst. Either allocation can fail, leading to a NULL pointer dereference during instance initialization. Check both allocations before initializing the formats. Free any partial allocation, clear the instance pointers so later cleanup does not see dangling values, and return -ENOMEM so the open path can unwind the instance. Signed-off-by: Ruoyu Wang --- drivers/media/platform/qcom/iris/iris_vdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/media/platform/qcom/iris/iris_vdec.c b/drivers/media/p= latform/qcom/iris/iris_vdec.c index 99d544e2af4f9..dd18079a9ea5f 100644 --- a/drivers/media/platform/qcom/iris/iris_vdec.c +++ b/drivers/media/platform/qcom/iris/iris_vdec.c @@ -23,6 +23,13 @@ int iris_vdec_inst_init(struct iris_inst *inst) =20 inst->fmt_src =3D kzalloc_obj(*inst->fmt_src); inst->fmt_dst =3D kzalloc_obj(*inst->fmt_dst); + if (!inst->fmt_src || !inst->fmt_dst) { + kfree(inst->fmt_src); + kfree(inst->fmt_dst); + inst->fmt_src =3D NULL; + inst->fmt_dst =3D NULL; + return -ENOMEM; + } =20 inst->fw_min_count =3D MIN_BUFFERS; =20 --=20 2.34.1