Re: [PATCH] media: iris: check decoder format allocations

Next message: Bryam Vargas: "[PATCH] wifi: mac80211: bound S1G TIM PVB walk to the TIM element"
Previous message: Ian Rogers: "[PATCH v15 4/5] perf test: Add inject ASLR test"
In reply to: Ruoyu Wang: "[PATCH] media: iris: check decoder format allocations"
Next in thread: Ruoyu Wang: "[PATCH v2] media: iris: check decoder format allocations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Baryshkov

Date: Sat Jun 06 2026 - 03:35:34 EST

On Sat, Jun 06, 2026 at 12:07:36PM +0800, Ruoyu Wang wrote:
> iris_vdec_inst_init() allocates the source and destination v4l2_format
> structures and then immediately writes fields through inst->fmt_src and
> inst->fmt_dst. Either allocation can fail, leading to a NULL pointer
> dereference during instance initialization.
>
> Check both allocations before initializing the formats. Free any partial
> allocation, clear the instance pointers so later cleanup does not see
> dangling values, and return -ENOMEM so the open path can unwind the
> instance.
>
> Signed-off-by: Ruoyu Wang <ruoyuw560@xxxxxxxxx>
> ---
> drivers/media/platform/qcom/iris/iris_vdec.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/media/platform/qcom/iris/iris_vdec.c b/drivers/media/platform/qcom/iris/iris_vdec.c
> index 99d544e2af4f9..dd18079a9ea5f 100644
> --- a/drivers/media/platform/qcom/iris/iris_vdec.c
> +++ b/drivers/media/platform/qcom/iris/iris_vdec.c
> @@ -23,6 +23,13 @@ int iris_vdec_inst_init(struct iris_inst *inst)
>
> inst->fmt_src = kzalloc_obj(*inst->fmt_src);
> inst->fmt_dst = kzalloc_obj(*inst->fmt_dst);
> + if (!inst->fmt_src || !inst->fmt_dst) {
> + kfree(inst->fmt_src);
> + kfree(inst->fmt_dst);
> + inst->fmt_src = NULL;
> + inst->fmt_dst = NULL;
> + return -ENOMEM;
> + }

I'd rather see the check for the allocated objects before they are
assigned to the fields in the instance.

>
> inst->fw_min_count = MIN_BUFFERS;
>
> --
> 2.34.1
>

--
With best wishes
Dmitry