lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <92c8f778-cd94-4113-8b9e-699b8ffa9fa2@oss.nxp.com>
Date: Mon, 7 Apr 2025 10:52:10 +0800
From: "Ming Qian(OSS)" <ming.qian@....nxp.com>
To: Sebastian Fricke <sebastian.fricke@...labora.com>
Cc: mchehab@...nel.org, hverkuil-cisco@...all.nl, mirela.rabulea@....nxp.com,
 shawnguo@...nel.org, s.hauer@...gutronix.de, kernel@...gutronix.de,
 festevam@...il.com, xiahong.bao@....com, eagle.zhou@....com,
 linux-imx@....com, imx@...ts.linux.dev, linux-media@...r.kernel.org,
 linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH v2 1/3] media: imx-jpeg: Enhance error handling in buffer
 allocation


Hi Sebastian,


On 2025/4/5 19:39, Sebastian Fricke wrote:
> Hey Ming,
> 
> In the title I'd suggest:
> media: imx-jpeg: Cleanup after an allocation error
> 
> To be a bit more concrete, enhance error handling can mean pretty much
> anything.
> 

Thanks, I'll apply your suggestion

> On 28.03.2025 14:30, ming.qian@....nxp.com wrote:
>> From: Ming Qian <ming.qian@....nxp.com>
>>
>> In function mxc_jpeg_alloc_slot_data, driver will allocate some dma
>> buffer, but only return error if certain allocation failed.
>>
>> Without cleanup the allocation failure, the next time it will return
>> success directly, but let some buffer be uninitialized.
>> It may result in accessing a null pointer.
>>
>> Clean up if error occurs in the allocation.
> 
> I'd suggest:
> 
> When allocation failures are not cleaned up by the driver, further 
> allocation
> errors will be false-positives, which will cause buffers to remain
> uninitialized and cause NULL pointer dereferences.
> Clean up the errors accordingly.
> 

Thanks, I'll apply your suggestion

>>
>> Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG 
>> Encoder/Decoder")
>> Signed-off-by: Ming Qian <ming.qian@....nxp.com>
>> ---
>> v2
>> - Add the Fixes tag
>>
>> .../media/platform/nxp/imx-jpeg/mxc-jpeg.c    | 47 +++++++++++--------
>> 1 file changed, 27 insertions(+), 20 deletions(-)
>>
>> diff --git a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c 
>> b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
>> index 0e6ee997284b..12661c177f5a 100644
>> --- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
>> +++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
>> @@ -752,6 +752,32 @@ static int mxc_get_free_slot(struct 
>> mxc_jpeg_slot_data *slot_data)
>>     return -1;
>> }
>>
>> +static void mxc_jpeg_free_slot_data(struct mxc_jpeg_dev *jpeg)
>> +{
>> +    /* free descriptor for decoding/encoding phase */
>> +    dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc),
>> +              jpeg->slot_data.desc,
>> +              jpeg->slot_data.desc_handle);
>> +    jpeg->slot_data.desc = NULL;
>> +    jpeg->slot_data.desc_handle = 0;
>> +
>> +    /* free descriptor for encoder configuration phase / decoder DHT */
>> +    dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc),
>> +              jpeg->slot_data.cfg_desc,
>> +              jpeg->slot_data.cfg_desc_handle);
>> +    jpeg->slot_data.cfg_desc_handle = 0;
>> +    jpeg->slot_data.cfg_desc = NULL;
>> +
>> +    /* free configuration stream */
>> +    dma_free_coherent(jpeg->dev, MXC_JPEG_MAX_CFG_STREAM,
>> +              jpeg->slot_data.cfg_stream_vaddr,
>> +              jpeg->slot_data.cfg_stream_handle);
>> +    jpeg->slot_data.cfg_stream_vaddr = NULL;
>> +    jpeg->slot_data.cfg_stream_handle = 0;
>> +
>> +    jpeg->slot_data.used = false;
>> +}
>> +
>> static bool mxc_jpeg_alloc_slot_data(struct mxc_jpeg_dev *jpeg)
>> {
>>     struct mxc_jpeg_desc *desc;
>> @@ -794,30 +820,11 @@ static bool mxc_jpeg_alloc_slot_data(struct 
>> mxc_jpeg_dev *jpeg)
>>     return true;
>> err:
>>     dev_err(jpeg->dev, "Could not allocate descriptors for slot %d", 
>> jpeg->slot_data.slot);
>> +    mxc_jpeg_free_slot_data(jpeg);
>>
>>     return false;
>> }
>>
>> -static void mxc_jpeg_free_slot_data(struct mxc_jpeg_dev *jpeg)
>> -{
>> -    /* free descriptor for decoding/encoding phase */
>> -    dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc),
>> -              jpeg->slot_data.desc,
>> -              jpeg->slot_data.desc_handle);
>> -
>> -    /* free descriptor for encoder configuration phase / decoder DHT */
>> -    dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc),
>> -              jpeg->slot_data.cfg_desc,
>> -              jpeg->slot_data.cfg_desc_handle);
>> -
>> -    /* free configuration stream */
>> -    dma_free_coherent(jpeg->dev, MXC_JPEG_MAX_CFG_STREAM,
>> -              jpeg->slot_data.cfg_stream_vaddr,
>> -              jpeg->slot_data.cfg_stream_handle);
>> -
>> -    jpeg->slot_data.used = false;
>> -}
> 
> Can you split the moving of the code from the changes you do?
> Otherwise the reviewer is forced to get the diff manually.

Sure, this will be done in v3

> 
> Regards,
> Sebastian Fricke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ