[thirdparty/kernel/stable-queue.git] / queue-4.4 / media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch

From ed533e6a6e3bca344c091d20e97fa5336bfb6651 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Tue, 26 Oct 2021 13:23:48 +0200
Subject: media: msi001: fix possible null-ptr-deref in msi001_probe()

From: Wang Hai <wanghai38@huawei.com>

[ Upstream commit 3d5831a40d3464eea158180eb12cbd81c5edfb6a ]

I got a null-ptr-deref report:

BUG: kernel NULL pointer dereference, address: 0000000000000060
...
RIP: 0010:v4l2_ctrl_auto_cluster+0x57/0x270
...
Call Trace:
 msi001_probe+0x13b/0x24b [msi001]
 spi_probe+0xeb/0x130
...
 do_syscall_64+0x35/0xb0

In msi001_probe(), if the creation of control for bandwidth_auto
fails, there will be a null-ptr-deref issue when it is used in
v4l2_ctrl_auto_cluster().

Check dev->hdl.error before v4l2_ctrl_auto_cluster() to fix this bug.

Link: https://lore.kernel.org/linux-media/20211026112348.2878040-1-wanghai38@huawei.com
Fixes: 93203dd6c7c4 ("[media] msi001: Mirics MSi001 silicon tuner driver")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/tuners/msi001.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/media/tuners/msi001.c b/drivers/media/tuners/msi001.c
index 3a12ef35682b5..64d98517f470f 100644
--- a/drivers/media/tuners/msi001.c
+++ b/drivers/media/tuners/msi001.c
@@ -464,6 +464,13 @@ static int msi001_probe(struct spi_device *spi)
 			V4L2_CID_RF_TUNER_BANDWIDTH_AUTO, 0, 1, 1, 1);
 	dev->bandwidth = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
 			V4L2_CID_RF_TUNER_BANDWIDTH, 200000, 8000000, 1, 200000);
+	if (dev->hdl.error) {
+		ret = dev->hdl.error;
+		dev_err(&spi->dev, "Could not initialize controls\n");
+		/* control init failed, free handler */
+		goto err_ctrl_handler_free;
+	}
+
 	v4l2_ctrl_auto_cluster(2, &dev->bandwidth_auto, 0, false);
 	dev->lna_gain = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
 			V4L2_CID_RF_TUNER_LNA_GAIN, 0, 1, 1, 1);
-- 
2.34.1
Commit	Line	Data
ba8d895a SL	1	From ed533e6a6e3bca344c091d20e97fa5336bfb6651 Mon Sep 17 00:00:00 2001
	2	From: Sasha Levin <sashal@kernel.org>
	3	Date: Tue, 26 Oct 2021 13:23:48 +0200
	4	Subject: media: msi001: fix possible null-ptr-deref in msi001_probe()
	5
	6	From: Wang Hai <wanghai38@huawei.com>
	7
	8	[ Upstream commit 3d5831a40d3464eea158180eb12cbd81c5edfb6a ]
	9
	10	I got a null-ptr-deref report:
	11
	12	BUG: kernel NULL pointer dereference, address: 0000000000000060
	13	...
	14	RIP: 0010:v4l2_ctrl_auto_cluster+0x57/0x270
	15	...
	16	Call Trace:
	17	msi001_probe+0x13b/0x24b [msi001]
	18	spi_probe+0xeb/0x130
	19	...
	20	do_syscall_64+0x35/0xb0
	21
	22	In msi001_probe(), if the creation of control for bandwidth_auto
	23	fails, there will be a null-ptr-deref issue when it is used in
	24	v4l2_ctrl_auto_cluster().
	25
	26	Check dev->hdl.error before v4l2_ctrl_auto_cluster() to fix this bug.
	27
	28	Link: https://lore.kernel.org/linux-media/20211026112348.2878040-1-wanghai38@huawei.com
	29	Fixes: 93203dd6c7c4 ("[media] msi001: Mirics MSi001 silicon tuner driver")
	30	Reported-by: Hulk Robot <hulkci@huawei.com>
	31	Signed-off-by: Wang Hai <wanghai38@huawei.com>
	32	Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
	33	Signed-off-by: Sasha Levin <sashal@kernel.org>
	34	---
	35	drivers/media/tuners/msi001.c \| 7 +++++++
	36	1 file changed, 7 insertions(+)
	37
	38	diff --git a/drivers/media/tuners/msi001.c b/drivers/media/tuners/msi001.c
	39	index 3a12ef35682b5..64d98517f470f 100644
	40	--- a/drivers/media/tuners/msi001.c
	41	+++ b/drivers/media/tuners/msi001.c
	42	@@ -464,6 +464,13 @@ static int msi001_probe(struct spi_device *spi)
	43	V4L2_CID_RF_TUNER_BANDWIDTH_AUTO, 0, 1, 1, 1);
	44	dev->bandwidth = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
	45	V4L2_CID_RF_TUNER_BANDWIDTH, 200000, 8000000, 1, 200000);
	46	+ if (dev->hdl.error) {
	47	+ ret = dev->hdl.error;
	48	+ dev_err(&spi->dev, "Could not initialize controls\n");
	49	+ /* control init failed, free handler */
	50	+ goto err_ctrl_handler_free;
	51	+ }
	52	+
	53	v4l2_ctrl_auto_cluster(2, &dev->bandwidth_auto, 0, false);
	54	dev->lna_gain = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
	55	V4L2_CID_RF_TUNER_LNA_GAIN, 0, 1, 1, 1);
	56	--
	57	2.34.1
	58