Commit b19c347b authored by Dan Carpenter's avatar Dan Carpenter Committed by Hans Verkuil

media: mediatek: vcodec: Fix potential crash in mtk_vcodec_dbgfs_remove()

The list iterator "dbgfs_inst" is always non-NULL.  This means that the
test for NULL inside the loop is unnecessary and it also means that the
test for NULL outside the loop will not work.  If we do not find the item
on the list with the correct the ctx_id then it will free invalid memory
leading to a crash.

Fixes: cd403a6a0419 ("media: mediatek: vcodec: Add a debugfs file to get different useful information")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: default avatarNicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
parent 5bd28eae
...@@ -168,14 +168,11 @@ void mtk_vcodec_dbgfs_remove(struct mtk_vcodec_dev *vcodec_dev, int ctx_id) ...@@ -168,14 +168,11 @@ void mtk_vcodec_dbgfs_remove(struct mtk_vcodec_dev *vcodec_dev, int ctx_id)
list_for_each_entry(dbgfs_inst, &vcodec_dev->dbgfs.dbgfs_head, node) { list_for_each_entry(dbgfs_inst, &vcodec_dev->dbgfs.dbgfs_head, node) {
if (dbgfs_inst->inst_id == ctx_id) { if (dbgfs_inst->inst_id == ctx_id) {
vcodec_dev->dbgfs.inst_count--; vcodec_dev->dbgfs.inst_count--;
break; list_del(&dbgfs_inst->node);
kfree(dbgfs_inst);
return;
} }
} }
if (dbgfs_inst) {
list_del(&dbgfs_inst->node);
kfree(dbgfs_inst);
}
} }
EXPORT_SYMBOL_GPL(mtk_vcodec_dbgfs_remove); EXPORT_SYMBOL_GPL(mtk_vcodec_dbgfs_remove);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment