Commit 3d5831a4 authored by Wang Hai's avatar Wang Hai Committed by Mauro Carvalho Chehab

media: msi001: fix possible null-ptr-deref in msi001_probe()

I got a null-ptr-deref report:

BUG: kernel NULL pointer dereference, address: 0000000000000060
...
RIP: 0010:v4l2_ctrl_auto_cluster+0x57/0x270
...
Call Trace:
 msi001_probe+0x13b/0x24b [msi001]
 spi_probe+0xeb/0x130
...
 do_syscall_64+0x35/0xb0

In msi001_probe(), if the creation of control for bandwidth_auto
fails, there will be a null-ptr-deref issue when it is used in
v4l2_ctrl_auto_cluster().

Check dev->hdl.error before v4l2_ctrl_auto_cluster() to fix this bug.

Link: https://lore.kernel.org/linux-media/20211026112348.2878040-1-wanghai38@huawei.com
Fixes: 93203dd6 ("[media] msi001: Mirics MSi001 silicon tuner driver")
Reported-by: default avatarHulk Robot <hulkci@huawei.com>
Signed-off-by: default avatarWang Hai <wanghai38@huawei.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
parent c2611e47
...@@ -442,6 +442,13 @@ static int msi001_probe(struct spi_device *spi) ...@@ -442,6 +442,13 @@ static int msi001_probe(struct spi_device *spi)
V4L2_CID_RF_TUNER_BANDWIDTH_AUTO, 0, 1, 1, 1); V4L2_CID_RF_TUNER_BANDWIDTH_AUTO, 0, 1, 1, 1);
dev->bandwidth = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops, dev->bandwidth = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
V4L2_CID_RF_TUNER_BANDWIDTH, 200000, 8000000, 1, 200000); V4L2_CID_RF_TUNER_BANDWIDTH, 200000, 8000000, 1, 200000);
if (dev->hdl.error) {
ret = dev->hdl.error;
dev_err(&spi->dev, "Could not initialize controls\n");
/* control init failed, free handler */
goto err_ctrl_handler_free;
}
v4l2_ctrl_auto_cluster(2, &dev->bandwidth_auto, 0, false); v4l2_ctrl_auto_cluster(2, &dev->bandwidth_auto, 0, false);
dev->lna_gain = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops, dev->lna_gain = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops,
V4L2_CID_RF_TUNER_LNA_GAIN, 0, 1, 1, 1); V4L2_CID_RF_TUNER_LNA_GAIN, 0, 1, 1, 1);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment