From: Neil Armstrong <narmstrong@baylibre.com>
To: Qingyang Zhou <zhou1615@umn.edu>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: Kangjie Lu <kjlu@umn.edu>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kevin Hilman <khilman@baylibre.com>,
Jerome Brunet <jbrunet@baylibre.com>,
Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
Maxime Jourdan <mjourdan@baylibre.com>,
linux-media@vger.kernel.org, linux-amlogic@lists.infradead.org,
linux-staging@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts()
Date: Wed, 12 Jan 2022 09:57:10 +0100 [thread overview]
Message-ID: <7e9f1b17-7087-3513-84b9-f5dd25211b87@baylibre.com> (raw)
In-Reply-To: <CA+Cm_xSOv5NnW5GXcKKGi8bQSvT45iH6=65YJk3EG6uW0c5_Vw@mail.gmail.com>
Hi,
On 11/01/2022 14:03, Qingyang Zhou wrote:
> Hi Hans:
>
> Here I certify that this is an origin patch I wrote. I did not copy Neil's patch, and I did not know his patch.
>
> Neil, please post your original patch here, so everyone can see both patches.
>
> Yours
> Zhou Qingyang.
>
> On Tue, Jan 11, 2022 at 5:16 PM Hans Verkuil <hverkuil-cisco@xs4all.nl <mailto:hverkuil-cisco@xs4all.nl>> wrote:
>
> Zhou Qingyang, this is exactly the patch Neil wrote, except you just stuck your
> name on it. Not nice.
>
> Neil, can you post your patch with your own Signed-off-by, then I'll take that one.
>
> Regards,
>
> Hans
>
> On 15/12/2021 04:35, Zhou Qingyang wrote:
> > In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
> > to a NULL pointer dereference on failure of kzalloc().
> >
> > Fix this bug by adding a NULL check of new_ts.
> >
> > This bug was found by a static analyzer[1].
> >
> > Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
> > and our static analyzer no longer warns about this code.
> >
> > Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
> > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu <mailto:zhou1615@umn.edu>>
> > ---
> >
> > [1] The analysis employs differential checking to identify inconsistent
> > security operations (e.g., checks or kfrees) between two code paths and
> > confirms that the inconsistent operations are not recovered in the
> > current function or the callers, so they constitute bugs.
> >
> > Note that, as a bug found by static analysis, it can be a false
> > positive or hard to trigger. Multiple researchers have cross-reviewed
> > the bug.
> >
> > Changes in v3:
> > - Change the description of patch
> > - Turn the return type from 'void' to 'int'
> > - Check the return value in the caller 'esparser_queue()'
> >
> > Changes in v2:
> > - Delete dev_err() message
> >
> > drivers/staging/media/meson/vdec/esparser.c | 7 ++++++-
> > drivers/staging/media/meson/vdec/vdec_helpers.c | 8 ++++++--
> > drivers/staging/media/meson/vdec/vdec_helpers.h | 4 ++--
> > 3 files changed, 14 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
> > index db7022707ff8..095100a50da8 100644
> > --- a/drivers/staging/media/meson/vdec/esparser.c
> > +++ b/drivers/staging/media/meson/vdec/esparser.c
> > @@ -328,7 +328,12 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
> >
> > offset = esparser_get_offset(sess);
> >
> > - amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> > + ret = amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> > + if (!ret) {
> > + v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
> > + return ret;
> > + }
> > +
> > dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X flags = %08X\n",
> > vb->timestamp, payload_size, offset, vbuf->flags);
> >
> > diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
> > index b9125c295d1d..06fd66539797 100644
> > --- a/drivers/staging/media/meson/vdec/vdec_helpers.c
> > +++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
> > @@ -227,13 +227,16 @@ int amvdec_set_canvases(struct amvdec_session *sess,
> > }
> > EXPORT_SYMBOL_GPL(amvdec_set_canvases);
> >
> > -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > - struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> > +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > + struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> > {
> > struct amvdec_timestamp *new_ts;
> > unsigned long flags;
> >
> > new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
> > + if (!new_ts)
> > + return -ENOMEM;
> > +
> > new_ts->ts = ts;
> > new_ts->tc = tc;
> > new_ts->offset = offset;
> > @@ -242,6 +245,7 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > spin_lock_irqsave(&sess->ts_spinlock, flags);
> > list_add_tail(&new_ts->list, &sess->timestamps);
> > spin_unlock_irqrestore(&sess->ts_spinlock, flags);
> > + return 0;
> > }
> > EXPORT_SYMBOL_GPL(amvdec_add_ts);
> >
> > diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.h b/drivers/staging/media/meson/vdec/vdec_helpers.h
> > index 88137d15aa3a..4bf3e61d081b 100644
> > --- a/drivers/staging/media/meson/vdec/vdec_helpers.h
> > +++ b/drivers/staging/media/meson/vdec/vdec_helpers.h
> > @@ -56,8 +56,8 @@ void amvdec_dst_buf_done_offset(struct amvdec_session *sess,
> > * @offset: offset in the VIFIFO where the associated packet was written
> > * @flags: the vb2_v4l2_buffer flags
> > */
> > -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > - struct v4l2_timecode tc, u32 offset, u32 flags);
> > +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > + struct v4l2_timecode tc, u32 offset, u32 flags);
> > void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);
> >
> > /**
>
Let's inspect:
I posted a probable solution the 09/12/2021 in a reply to 20211209085840.2081024-1-jiasheng@iscas.ac.cn :
===================><=============================
diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
index db7022707ff8..df733eff9ac7 100644
--- a/drivers/staging/media/meson/vdec/esparser.c
+++ b/drivers/staging/media/meson/vdec/esparser.c
@@ -328,7 +328,11 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
offset = esparser_get_offset(sess);
- amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
+ ret = amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
+ if (ret) {
+ v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
+ return ret;
+ }
dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X flags = %08X\n",
vb->timestamp, payload_size, offset, vbuf->flags);
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
index b9125c295d1d..593b2ccbece2 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.c
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
@@ -227,13 +227,15 @@ int amvdec_set_canvases(struct amvdec_session *sess,
}
EXPORT_SYMBOL_GPL(amvdec_set_canvases);
-void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
- struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
+int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
+ struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
{
struct amvdec_timestamp *new_ts;
unsigned long flags;
new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
+ if (!new_ts)
+ return -ENOMEM;
new_ts->ts = ts;
new_ts->tc = tc;
new_ts->offset = offset;
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.h b/drivers/staging/media/meson/vdec/vdec_helpers.h
index 88137d15aa3a..4bf3e61d081b 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.h
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.h
@@ -56,8 +56,8 @@ void amvdec_dst_buf_done_offset(struct amvdec_session *sess,
* @offset: offset in the VIFIFO where the associated packet was written
* @flags: the vb2_v4l2_buffer flags
*/
-void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
- struct v4l2_timecode tc, u32 offset, u32 flags);
+int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
+ struct v4l2_timecode tc, u32 offset, u32 flags);
void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);
===================><=============================
Then the patches were sent:
- 20211210015620.2143555-1-jiasheng@iscas.ac.cn on 10/12/2021
- 20211215033535.40422-1-zhou1615@umn.edu on 15/12/2021
They are extremely close but not similar, mostly indenting differs.
Both patches have the missing final "return 0" in amvdec_add_ts which is missing in my proposal.
But only 20211210015620.2143555-1-jiasheng@iscas.ac.cn has the correct "if (ret)" in esparser_queue().
Patch 20211215033535.40422-1-zhou1615@umn.ed has a wrong "if (!ret)".
But when comparing, 20211215033535.40422-1-zhou1615@umn.edu is an almost exact copy of my proposal, minus the fixes and the bogus return check.
To be honest, there is a limited way to fix this, it's probable 20211215033535.40422-1-zhou1615@umn.edu was written independently from
my proposal since there is a bug return check, and 20211210015620.2143555-1-jiasheng@iscas.ac.cn was rewritten from my proposal.
Since 20211215033535.40422-1-zhou1615@umn.ed has a bogus return check, it should be naked.
I'll only ask 20211210015620.2143555-1-jiasheng@iscas.ac.cn to be resent with a "Suggested-by" and indentation fixed like my proposal.
Neil
WARNING: multiple messages have this Message-ID (diff)
From: Neil Armstrong <narmstrong@baylibre.com>
To: Qingyang Zhou <zhou1615@umn.edu>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: Kangjie Lu <kjlu@umn.edu>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kevin Hilman <khilman@baylibre.com>,
Jerome Brunet <jbrunet@baylibre.com>,
Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
Maxime Jourdan <mjourdan@baylibre.com>,
linux-media@vger.kernel.org, linux-amlogic@lists.infradead.org,
linux-staging@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts()
Date: Wed, 12 Jan 2022 09:57:10 +0100 [thread overview]
Message-ID: <7e9f1b17-7087-3513-84b9-f5dd25211b87@baylibre.com> (raw)
In-Reply-To: <CA+Cm_xSOv5NnW5GXcKKGi8bQSvT45iH6=65YJk3EG6uW0c5_Vw@mail.gmail.com>
Hi,
On 11/01/2022 14:03, Qingyang Zhou wrote:
> Hi Hans:
>
> Here I certify that this is an origin patch I wrote. I did not copy Neil's patch, and I did not know his patch.
>
> Neil, please post your original patch here, so everyone can see both patches.
>
> Yours
> Zhou Qingyang.
>
> On Tue, Jan 11, 2022 at 5:16 PM Hans Verkuil <hverkuil-cisco@xs4all.nl <mailto:hverkuil-cisco@xs4all.nl>> wrote:
>
> Zhou Qingyang, this is exactly the patch Neil wrote, except you just stuck your
> name on it. Not nice.
>
> Neil, can you post your patch with your own Signed-off-by, then I'll take that one.
>
> Regards,
>
> Hans
>
> On 15/12/2021 04:35, Zhou Qingyang wrote:
> > In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
> > to a NULL pointer dereference on failure of kzalloc().
> >
> > Fix this bug by adding a NULL check of new_ts.
> >
> > This bug was found by a static analyzer[1].
> >
> > Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
> > and our static analyzer no longer warns about this code.
> >
> > Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
> > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu <mailto:zhou1615@umn.edu>>
> > ---
> >
> > [1] The analysis employs differential checking to identify inconsistent
> > security operations (e.g., checks or kfrees) between two code paths and
> > confirms that the inconsistent operations are not recovered in the
> > current function or the callers, so they constitute bugs.
> >
> > Note that, as a bug found by static analysis, it can be a false
> > positive or hard to trigger. Multiple researchers have cross-reviewed
> > the bug.
> >
> > Changes in v3:
> > - Change the description of patch
> > - Turn the return type from 'void' to 'int'
> > - Check the return value in the caller 'esparser_queue()'
> >
> > Changes in v2:
> > - Delete dev_err() message
> >
> > drivers/staging/media/meson/vdec/esparser.c | 7 ++++++-
> > drivers/staging/media/meson/vdec/vdec_helpers.c | 8 ++++++--
> > drivers/staging/media/meson/vdec/vdec_helpers.h | 4 ++--
> > 3 files changed, 14 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
> > index db7022707ff8..095100a50da8 100644
> > --- a/drivers/staging/media/meson/vdec/esparser.c
> > +++ b/drivers/staging/media/meson/vdec/esparser.c
> > @@ -328,7 +328,12 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
> >
> > offset = esparser_get_offset(sess);
> >
> > - amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> > + ret = amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> > + if (!ret) {
> > + v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
> > + return ret;
> > + }
> > +
> > dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X flags = %08X\n",
> > vb->timestamp, payload_size, offset, vbuf->flags);
> >
> > diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
> > index b9125c295d1d..06fd66539797 100644
> > --- a/drivers/staging/media/meson/vdec/vdec_helpers.c
> > +++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
> > @@ -227,13 +227,16 @@ int amvdec_set_canvases(struct amvdec_session *sess,
> > }
> > EXPORT_SYMBOL_GPL(amvdec_set_canvases);
> >
> > -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > - struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> > +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > + struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> > {
> > struct amvdec_timestamp *new_ts;
> > unsigned long flags;
> >
> > new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
> > + if (!new_ts)
> > + return -ENOMEM;
> > +
> > new_ts->ts = ts;
> > new_ts->tc = tc;
> > new_ts->offset = offset;
> > @@ -242,6 +245,7 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > spin_lock_irqsave(&sess->ts_spinlock, flags);
> > list_add_tail(&new_ts->list, &sess->timestamps);
> > spin_unlock_irqrestore(&sess->ts_spinlock, flags);
> > + return 0;
> > }
> > EXPORT_SYMBOL_GPL(amvdec_add_ts);
> >
> > diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.h b/drivers/staging/media/meson/vdec/vdec_helpers.h
> > index 88137d15aa3a..4bf3e61d081b 100644
> > --- a/drivers/staging/media/meson/vdec/vdec_helpers.h
> > +++ b/drivers/staging/media/meson/vdec/vdec_helpers.h
> > @@ -56,8 +56,8 @@ void amvdec_dst_buf_done_offset(struct amvdec_session *sess,
> > * @offset: offset in the VIFIFO where the associated packet was written
> > * @flags: the vb2_v4l2_buffer flags
> > */
> > -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > - struct v4l2_timecode tc, u32 offset, u32 flags);
> > +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > + struct v4l2_timecode tc, u32 offset, u32 flags);
> > void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);
> >
> > /**
>
Let's inspect:
I posted a probable solution the 09/12/2021 in a reply to 20211209085840.2081024-1-jiasheng@iscas.ac.cn :
===================><=============================
diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
index db7022707ff8..df733eff9ac7 100644
--- a/drivers/staging/media/meson/vdec/esparser.c
+++ b/drivers/staging/media/meson/vdec/esparser.c
@@ -328,7 +328,11 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
offset = esparser_get_offset(sess);
- amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
+ ret = amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
+ if (ret) {
+ v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
+ return ret;
+ }
dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X flags = %08X\n",
vb->timestamp, payload_size, offset, vbuf->flags);
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
index b9125c295d1d..593b2ccbece2 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.c
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
@@ -227,13 +227,15 @@ int amvdec_set_canvases(struct amvdec_session *sess,
}
EXPORT_SYMBOL_GPL(amvdec_set_canvases);
-void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
- struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
+int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
+ struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
{
struct amvdec_timestamp *new_ts;
unsigned long flags;
new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
+ if (!new_ts)
+ return -ENOMEM;
new_ts->ts = ts;
new_ts->tc = tc;
new_ts->offset = offset;
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.h b/drivers/staging/media/meson/vdec/vdec_helpers.h
index 88137d15aa3a..4bf3e61d081b 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.h
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.h
@@ -56,8 +56,8 @@ void amvdec_dst_buf_done_offset(struct amvdec_session *sess,
* @offset: offset in the VIFIFO where the associated packet was written
* @flags: the vb2_v4l2_buffer flags
*/
-void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
- struct v4l2_timecode tc, u32 offset, u32 flags);
+int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
+ struct v4l2_timecode tc, u32 offset, u32 flags);
void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);
===================><=============================
Then the patches were sent:
- 20211210015620.2143555-1-jiasheng@iscas.ac.cn on 10/12/2021
- 20211215033535.40422-1-zhou1615@umn.edu on 15/12/2021
They are extremely close but not similar, mostly indenting differs.
Both patches have the missing final "return 0" in amvdec_add_ts which is missing in my proposal.
But only 20211210015620.2143555-1-jiasheng@iscas.ac.cn has the correct "if (ret)" in esparser_queue().
Patch 20211215033535.40422-1-zhou1615@umn.ed has a wrong "if (!ret)".
But when comparing, 20211215033535.40422-1-zhou1615@umn.edu is an almost exact copy of my proposal, minus the fixes and the bogus return check.
To be honest, there is a limited way to fix this, it's probable 20211215033535.40422-1-zhou1615@umn.edu was written independently from
my proposal since there is a bug return check, and 20211210015620.2143555-1-jiasheng@iscas.ac.cn was rewritten from my proposal.
Since 20211215033535.40422-1-zhou1615@umn.ed has a bogus return check, it should be naked.
I'll only ask 20211210015620.2143555-1-jiasheng@iscas.ac.cn to be resent with a "Suggested-by" and indentation fixed like my proposal.
Neil
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
WARNING: multiple messages have this Message-ID (diff)
From: Neil Armstrong <narmstrong@baylibre.com>
To: Qingyang Zhou <zhou1615@umn.edu>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: Kangjie Lu <kjlu@umn.edu>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kevin Hilman <khilman@baylibre.com>,
Jerome Brunet <jbrunet@baylibre.com>,
Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
Maxime Jourdan <mjourdan@baylibre.com>,
linux-media@vger.kernel.org, linux-amlogic@lists.infradead.org,
linux-staging@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts()
Date: Wed, 12 Jan 2022 09:57:10 +0100 [thread overview]
Message-ID: <7e9f1b17-7087-3513-84b9-f5dd25211b87@baylibre.com> (raw)
In-Reply-To: <CA+Cm_xSOv5NnW5GXcKKGi8bQSvT45iH6=65YJk3EG6uW0c5_Vw@mail.gmail.com>
Hi,
On 11/01/2022 14:03, Qingyang Zhou wrote:
> Hi Hans:
>
> Here I certify that this is an origin patch I wrote. I did not copy Neil's patch, and I did not know his patch.
>
> Neil, please post your original patch here, so everyone can see both patches.
>
> Yours
> Zhou Qingyang.
>
> On Tue, Jan 11, 2022 at 5:16 PM Hans Verkuil <hverkuil-cisco@xs4all.nl <mailto:hverkuil-cisco@xs4all.nl>> wrote:
>
> Zhou Qingyang, this is exactly the patch Neil wrote, except you just stuck your
> name on it. Not nice.
>
> Neil, can you post your patch with your own Signed-off-by, then I'll take that one.
>
> Regards,
>
> Hans
>
> On 15/12/2021 04:35, Zhou Qingyang wrote:
> > In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
> > to a NULL pointer dereference on failure of kzalloc().
> >
> > Fix this bug by adding a NULL check of new_ts.
> >
> > This bug was found by a static analyzer[1].
> >
> > Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
> > and our static analyzer no longer warns about this code.
> >
> > Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
> > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu <mailto:zhou1615@umn.edu>>
> > ---
> >
> > [1] The analysis employs differential checking to identify inconsistent
> > security operations (e.g., checks or kfrees) between two code paths and
> > confirms that the inconsistent operations are not recovered in the
> > current function or the callers, so they constitute bugs.
> >
> > Note that, as a bug found by static analysis, it can be a false
> > positive or hard to trigger. Multiple researchers have cross-reviewed
> > the bug.
> >
> > Changes in v3:
> > - Change the description of patch
> > - Turn the return type from 'void' to 'int'
> > - Check the return value in the caller 'esparser_queue()'
> >
> > Changes in v2:
> > - Delete dev_err() message
> >
> > drivers/staging/media/meson/vdec/esparser.c | 7 ++++++-
> > drivers/staging/media/meson/vdec/vdec_helpers.c | 8 ++++++--
> > drivers/staging/media/meson/vdec/vdec_helpers.h | 4 ++--
> > 3 files changed, 14 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
> > index db7022707ff8..095100a50da8 100644
> > --- a/drivers/staging/media/meson/vdec/esparser.c
> > +++ b/drivers/staging/media/meson/vdec/esparser.c
> > @@ -328,7 +328,12 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
> >
> > offset = esparser_get_offset(sess);
> >
> > - amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> > + ret = amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> > + if (!ret) {
> > + v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
> > + return ret;
> > + }
> > +
> > dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X flags = %08X\n",
> > vb->timestamp, payload_size, offset, vbuf->flags);
> >
> > diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
> > index b9125c295d1d..06fd66539797 100644
> > --- a/drivers/staging/media/meson/vdec/vdec_helpers.c
> > +++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
> > @@ -227,13 +227,16 @@ int amvdec_set_canvases(struct amvdec_session *sess,
> > }
> > EXPORT_SYMBOL_GPL(amvdec_set_canvases);
> >
> > -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > - struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> > +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > + struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> > {
> > struct amvdec_timestamp *new_ts;
> > unsigned long flags;
> >
> > new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
> > + if (!new_ts)
> > + return -ENOMEM;
> > +
> > new_ts->ts = ts;
> > new_ts->tc = tc;
> > new_ts->offset = offset;
> > @@ -242,6 +245,7 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > spin_lock_irqsave(&sess->ts_spinlock, flags);
> > list_add_tail(&new_ts->list, &sess->timestamps);
> > spin_unlock_irqrestore(&sess->ts_spinlock, flags);
> > + return 0;
> > }
> > EXPORT_SYMBOL_GPL(amvdec_add_ts);
> >
> > diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.h b/drivers/staging/media/meson/vdec/vdec_helpers.h
> > index 88137d15aa3a..4bf3e61d081b 100644
> > --- a/drivers/staging/media/meson/vdec/vdec_helpers.h
> > +++ b/drivers/staging/media/meson/vdec/vdec_helpers.h
> > @@ -56,8 +56,8 @@ void amvdec_dst_buf_done_offset(struct amvdec_session *sess,
> > * @offset: offset in the VIFIFO where the associated packet was written
> > * @flags: the vb2_v4l2_buffer flags
> > */
> > -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > - struct v4l2_timecode tc, u32 offset, u32 flags);
> > +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > + struct v4l2_timecode tc, u32 offset, u32 flags);
> > void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);
> >
> > /**
>
Let's inspect:
I posted a probable solution the 09/12/2021 in a reply to 20211209085840.2081024-1-jiasheng@iscas.ac.cn :
===================><=============================
diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
index db7022707ff8..df733eff9ac7 100644
--- a/drivers/staging/media/meson/vdec/esparser.c
+++ b/drivers/staging/media/meson/vdec/esparser.c
@@ -328,7 +328,11 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
offset = esparser_get_offset(sess);
- amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
+ ret = amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
+ if (ret) {
+ v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
+ return ret;
+ }
dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X flags = %08X\n",
vb->timestamp, payload_size, offset, vbuf->flags);
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
index b9125c295d1d..593b2ccbece2 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.c
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
@@ -227,13 +227,15 @@ int amvdec_set_canvases(struct amvdec_session *sess,
}
EXPORT_SYMBOL_GPL(amvdec_set_canvases);
-void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
- struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
+int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
+ struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
{
struct amvdec_timestamp *new_ts;
unsigned long flags;
new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
+ if (!new_ts)
+ return -ENOMEM;
new_ts->ts = ts;
new_ts->tc = tc;
new_ts->offset = offset;
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.h b/drivers/staging/media/meson/vdec/vdec_helpers.h
index 88137d15aa3a..4bf3e61d081b 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.h
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.h
@@ -56,8 +56,8 @@ void amvdec_dst_buf_done_offset(struct amvdec_session *sess,
* @offset: offset in the VIFIFO where the associated packet was written
* @flags: the vb2_v4l2_buffer flags
*/
-void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
- struct v4l2_timecode tc, u32 offset, u32 flags);
+int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
+ struct v4l2_timecode tc, u32 offset, u32 flags);
void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);
===================><=============================
Then the patches were sent:
- 20211210015620.2143555-1-jiasheng@iscas.ac.cn on 10/12/2021
- 20211215033535.40422-1-zhou1615@umn.edu on 15/12/2021
They are extremely close but not similar, mostly indenting differs.
Both patches have the missing final "return 0" in amvdec_add_ts which is missing in my proposal.
But only 20211210015620.2143555-1-jiasheng@iscas.ac.cn has the correct "if (ret)" in esparser_queue().
Patch 20211215033535.40422-1-zhou1615@umn.ed has a wrong "if (!ret)".
But when comparing, 20211215033535.40422-1-zhou1615@umn.edu is an almost exact copy of my proposal, minus the fixes and the bogus return check.
To be honest, there is a limited way to fix this, it's probable 20211215033535.40422-1-zhou1615@umn.edu was written independently from
my proposal since there is a bug return check, and 20211210015620.2143555-1-jiasheng@iscas.ac.cn was rewritten from my proposal.
Since 20211215033535.40422-1-zhou1615@umn.ed has a bogus return check, it should be naked.
I'll only ask 20211210015620.2143555-1-jiasheng@iscas.ac.cn to be resent with a "Suggested-by" and indentation fixed like my proposal.
Neil
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-01-12 8:57 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-30 16:12 [PATCH] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts() Zhou Qingyang
2021-11-30 16:12 ` Zhou Qingyang
2021-11-30 16:12 ` Zhou Qingyang
2021-12-01 8:41 ` Dan Carpenter
2021-12-01 8:41 ` Dan Carpenter
2021-12-01 8:41 ` Dan Carpenter
2021-12-02 16:03 ` [PATCH v2] " Zhou Qingyang
2021-12-02 16:03 ` Zhou Qingyang
2021-12-02 16:03 ` Zhou Qingyang
2021-12-03 13:30 ` Dan Carpenter
2021-12-03 13:30 ` Dan Carpenter
2021-12-03 13:30 ` Dan Carpenter
2021-12-14 13:46 ` Mauro Carvalho Chehab
2021-12-14 13:46 ` Mauro Carvalho Chehab
2021-12-14 13:46 ` Mauro Carvalho Chehab
2021-12-14 14:16 ` Greg Kroah-Hartman
2021-12-14 14:16 ` Greg Kroah-Hartman
2021-12-14 14:16 ` Greg Kroah-Hartman
2021-12-15 3:35 ` [PATCH v3] " Zhou Qingyang
2021-12-15 3:35 ` Zhou Qingyang
2021-12-15 3:35 ` Zhou Qingyang
2022-01-11 9:16 ` Hans Verkuil
2022-01-11 9:16 ` Hans Verkuil
2022-01-11 9:16 ` Hans Verkuil
[not found] ` <CA+Cm_xSOv5NnW5GXcKKGi8bQSvT45iH6=65YJk3EG6uW0c5_Vw@mail.gmail.com>
2022-01-11 14:16 ` Hans Verkuil
2022-01-12 8:57 ` Neil Armstrong [this message]
2022-01-12 8:57 ` Neil Armstrong
2022-01-12 8:57 ` Neil Armstrong
2022-01-12 9:04 ` Hans Verkuil
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7e9f1b17-7087-3513-84b9-f5dd25211b87@baylibre.com \
--to=narmstrong@baylibre.com \
--cc=gregkh@linuxfoundation.org \
--cc=hverkuil-cisco@xs4all.nl \
--cc=jbrunet@baylibre.com \
--cc=khilman@baylibre.com \
--cc=kjlu@umn.edu \
--cc=linux-amlogic@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=martin.blumenstingl@googlemail.com \
--cc=mchehab@kernel.org \
--cc=mjourdan@baylibre.com \
--cc=zhou1615@umn.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.