LF-9749 media: csi: Fix dump issue against NULL pointer dereference

Robby Cai · Robby Cai · commit 7c17ba3e850c · 2023-08-08T18:22:43.000+08:00
To fix following kernel dump, need add check for 'fmt' against NULL. This is found in compliance test ('v4l_emma.sh 1 18'). [ 149.704396] unknown pixelformat:' ' [ 149.709617] 8<--- cut here --- [ 149.731734] Unable to handle kernel NULL pointer dereference at virtual address 00000024 [ 149.763772] [00000024] *pgd=00000000 [ 149.767882] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 149.776023] Modules linked in: ov5640_camera_v2 mx6s_capture [ 149.781729] CPU: 0 PID: 2819 Comm: v4l2-compliance Not tainted 6.1.36-02809-g1dcae5457813 #47 [ 149.790277] Hardware name: Freescale i.MX6 Ultralite (Device Tree) [ 149.796469] PC is at mx6s_vidioc_enum_framesizes+0x9c/0x1a4 [mx6s_capture] [ 149.803408] LR is at mx6s_vidioc_enum_framesizes+0x88/0x1a4 [mx6s_capture] [ 149.810332] pc : [<7f0017d8>] lr : [<7f0017c4>] psr: 600f0013 [ 149.816616] sp : a0d2dd98 ip : 20202020 fp : 7f003948 [ 149.821857] r10: 00000000 r9 : 80ec7ea8 r8 : 0000004a [ 149.827097] r7 : 86e22268 r6 : 808ed34c r5 : 7f00d30 r4 : a0d2de74 [ 149.833640] r3 : 86e53d40 r2 : 00000000 r1 : 00000000 r0 : 0000001a [ 149.840183] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none [ 149.847339] Control: 10c5387d Table: 86b9006a DAC: 00000051 [ 149.853096] Register r0 information: non-paged memory [ 149.858171] Register r1 information: NULL pointer [ 149.862893] Register r2 information: NULL pointer [ 149.867615] Register r3 information: slab task_struct start 86e53d40 pointer offset 0 [ 149.875501] Register r4 information: 2-page vmalloc region starting at 0xa0d2c000 allocated at kernel_clone+0xa4/0x33c [ 149.886248] Register r5 information: 8-page vmalloc region starting at 0x7f008000 allocated at load_module+0x9ac/0x1cbc [ 149.897075] Register r6 information: non-slab/vmalloc memory [ 149.902755] Register r7 information: slab kmalloc-1k start 86e22000 pointer offset 616 size 1024 [ 149.911593] Register r8 information: non-paged memory [ 149.916662] Register r9 information: non-slab/vmalloc memory [ 149.922342] Register r10 information: NULL pointer [ 149.927151] Register r11 information: 7-page vmalloc region starting at 0x7f000000 allocated at load_module+0x9ac/0x1cbc [ 149.938058] Register r12 information: non-paged memory ... Signed-off-by: Robby Cai <robby.cai@nxp.com> Reviewed-by: G.N. Zhou <guoniu.zhou@nxp.com>
diff --git a/drivers/media/platform/mxc/capture/mx6s_capture.c b/drivers/media/platform/mxc/capture/mx6s_capture.c
@@ -1623,7 +1623,7 @@ static int mx6s_vidioc_enum_framesizes(struct file *file, void *priv,
 	int ret;
 
 	fmt = format_by_fourcc(fsize->pixel_format);
-	if (fmt->pixelformat != fsize->pixel_format)
+	if (!fmt || fmt->pixelformat != fsize->pixel_format)
 		return -EINVAL;
 	fse.code = fmt->mbus_code;
 
@@ -1665,7 +1665,7 @@ static int mx6s_vidioc_enum_frameintervals(struct file *file, void *priv,
 	int ret;
 
 	fmt = format_by_fourcc(interval->pixel_format);
-	if (fmt->pixelformat != interval->pixel_format)
+	if (!fmt || fmt->pixelformat != interval->pixel_format)
 		return -EINVAL;
 	fie.code = fmt->mbus_code;
 
