[PATCH] media: iris: check decoder format allocations

Next message: Yonghong Song: "Re: [PATCH bpf-next v2 8/8] selftests/bpf: add tests to validate KASAN on JIT programs"
Previous message: HyeongJun An: "[PATCH] ALSA: seq: Fix partial userptr event expansion"
Next in thread: Dmitry Baryshkov: "Re: [PATCH] media: iris: check decoder format allocations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ruoyu Wang

Date: Sat Jun 06 2026 - 00:09:50 EST

iris_vdec_inst_init() allocates the source and destination v4l2_format
structures and then immediately writes fields through inst->fmt_src and
inst->fmt_dst. Either allocation can fail, leading to a NULL pointer
dereference during instance initialization.

Check both allocations before initializing the formats. Free any partial
allocation, clear the instance pointers so later cleanup does not see
dangling values, and return -ENOMEM so the open path can unwind the
instance.

Signed-off-by: Ruoyu Wang <ruoyuw560@xxxxxxxxx>
---
drivers/media/platform/qcom/iris/iris_vdec.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/drivers/media/platform/qcom/iris/iris_vdec.c b/drivers/media/platform/qcom/iris/iris_vdec.c
index 99d544e2af4f9..dd18079a9ea5f 100644
--- a/drivers/media/platform/qcom/iris/iris_vdec.c
+++ b/drivers/media/platform/qcom/iris/iris_vdec.c
@@ -23,6 +23,13 @@ int iris_vdec_inst_init(struct iris_inst *inst)

inst->fmt_src = kzalloc_obj(*inst->fmt_src);
inst->fmt_dst = kzalloc_obj(*inst->fmt_dst);
+ if (!inst->fmt_src || !inst->fmt_dst) {
+ kfree(inst->fmt_src);
+ kfree(inst->fmt_dst);
+ inst->fmt_src = NULL;
+ inst->fmt_dst = NULL;
+ return -ENOMEM;
+ }

inst->fw_min_count = MIN_BUFFERS;

--
2.34.1