From c3d00d5e7a8c0764738c5f3010729cc6c57243b7 Mon Sep 17 00:00:00 2001 From: Deva Ramasubramanian Date: Fri, 4 Jan 2013 16:41:11 -0800 Subject: [PATCH] msm: vidc: Fix various NULL pointer accesses, memory leaks This commit fixes various NULL pointer and memory leak bugs. (cherry picked from commit 636a61f53dbe3cbd327c101d5373f2d876475834) Change-Id: I8dc1ffc374b7ccdf5b5c1c0b51f1d8347d626c09 Signed-off-by: Deva Ramasubramanian Signed-off-by: Maheshwar Ajja --- drivers/video/msm/vidc/common/dec/vdec.c | 4 ++-- drivers/video/msm/vidc/common/enc/venc.c | 2 +- .../video/msm/vidc/common/vcd/vcd_client_sm.c | 1 + .../video/msm/vidc/common/vcd/vcd_device_sm.c | 3 ++- .../video/msm/vidc/common/vcd/vcd_scheduler.c | 19 ++++++++++++++----- drivers/video/msm/vidc/common/vcd/vcd_sub.c | 7 ++++++- 6 files changed, 26 insertions(+), 10 deletions(-) diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c index 8772f23a4..e4a6d5830 100755 --- a/drivers/video/msm/vidc/common/dec/vdec.c +++ b/drivers/video/msm/vidc/common/dec/vdec.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2010-2012, Code Aurora Forum. All rights reserved. +/* Copyright (c) 2010-2013, Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -2083,7 +2083,7 @@ int vid_dec_open_client(struct video_client_ctx **vid_clnt_ctx, int flags) } client_index = vid_dec_get_empty_client_index(); - if (client_index == -1) { + if (client_index < 0) { ERR("%s() : No free clients client_index == -1\n", __func__); rc = -ENOMEM; goto client_failure; diff --git a/drivers/video/msm/vidc/common/enc/venc.c b/drivers/video/msm/vidc/common/enc/venc.c index 468846520..60188d49a 100644 --- a/drivers/video/msm/vidc/common/enc/venc.c +++ b/drivers/video/msm/vidc/common/enc/venc.c @@ -545,7 +545,7 @@ static int vid_enc_open(struct inode *inode, struct file *file) client_index = vid_enc_get_empty_client_index(); - if (client_index == -1) { + if (client_index < 0) { ERR("%s() : No free clients client_index == -1\n", __func__); return -ENODEV; diff --git a/drivers/video/msm/vidc/common/vcd/vcd_client_sm.c b/drivers/video/msm/vidc/common/vcd/vcd_client_sm.c index b53defac0..50987460e 100644 --- a/drivers/video/msm/vidc/common/vcd/vcd_client_sm.c +++ b/drivers/video/msm/vidc/common/vcd/vcd_client_sm.c @@ -1616,6 +1616,7 @@ void vcd_do_client_state_transition(struct vcd_clnt_ctxt *cctxt, if (!cctxt || to_state >= VCD_CLIENT_STATE_MAX) { VCD_MSG_ERROR("Bad parameters. cctxt=%p, to_state=%d", cctxt, to_state); + return; } state_ctxt = &cctxt->clnt_state; diff --git a/drivers/video/msm/vidc/common/vcd/vcd_device_sm.c b/drivers/video/msm/vidc/common/vcd/vcd_device_sm.c index d5170281b..642ee7e3d 100644 --- a/drivers/video/msm/vidc/common/vcd/vcd_device_sm.c +++ b/drivers/video/msm/vidc/common/vcd/vcd_device_sm.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2010-2012, Code Aurora Forum. All rights reserved. +/* Copyright (c) 2010-2013, Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -36,6 +36,7 @@ void vcd_do_device_state_transition(struct vcd_drv_ctxt *drv_ctxt, if (!drv_ctxt || to_state >= VCD_DEVICE_STATE_MAX) { VCD_MSG_ERROR("Bad parameters. drv_ctxt=%p, to_state=%d", drv_ctxt, to_state); + return; } state_ctxt = &drv_ctxt->dev_state; diff --git a/drivers/video/msm/vidc/common/vcd/vcd_scheduler.c b/drivers/video/msm/vidc/common/vcd/vcd_scheduler.c index ab21bac49..fe0e131b1 100644 --- a/drivers/video/msm/vidc/common/vcd/vcd_scheduler.c +++ b/drivers/video/msm/vidc/common/vcd/vcd_scheduler.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2010-2012, Code Aurora Forum. All rights reserved. +/* Copyright (c) 2010-2013, Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -88,8 +88,13 @@ u32 vcd_sched_add_client(struct vcd_clnt_ctxt *cctxt) prop_hdr.sz = sizeof(cctxt->frm_p_units); rc = ddl_get_property(cctxt->ddl_handle, &prop_hdr, &cctxt->frm_p_units); - VCD_FAILED_RETURN(rc, - "Failed: Get DDL_I_FRAME_PROC_UNITS"); + if (VCD_FAILED(rc)) { + kfree(sched_cctxt); + VCD_MSG_ERROR( + "Failed: Get DDL_I_FRAME_PROC_UNITS"); + return rc; + } + if (cctxt->decoding) { cctxt->frm_rate.fps_numerator = VCD_DEC_INITIAL_FRAME_RATE; @@ -99,8 +104,12 @@ u32 vcd_sched_add_client(struct vcd_clnt_ctxt *cctxt) prop_hdr.sz = sizeof(cctxt->frm_rate); rc = ddl_get_property(cctxt->ddl_handle, &prop_hdr, &cctxt->frm_rate); - VCD_FAILED_RETURN(rc, - "Failed: Get VCD_I_FRAME_RATE"); + if (VCD_FAILED(rc)) { + kfree(sched_cctxt); + VCD_MSG_ERROR( + "Failed: Get VCD_I_FRAME_RATE"); + return rc; + } } if (!cctxt->perf_set_by_client) cctxt->reqd_perf_lvl = cctxt->frm_p_units * diff --git a/drivers/video/msm/vidc/common/vcd/vcd_sub.c b/drivers/video/msm/vidc/common/vcd/vcd_sub.c index a36465d8a..b4592546e 100644 --- a/drivers/video/msm/vidc/common/vcd/vcd_sub.c +++ b/drivers/video/msm/vidc/common/vcd/vcd_sub.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2010-2012, Code Aurora Forum. All rights reserved. +/* Copyright (c) 2010-2013, Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -1971,6 +1971,11 @@ u32 vcd_handle_input_done( orig_frame = vcd_find_buffer_pool_entry(&cctxt->in_buf_pool, transc->ip_buf_entry->virtual); + if (!orig_frame) { + rc = VCD_ERR_ILLEGAL_PARM; + VCD_FAILED_RETURN(rc, "Couldn't find buffer"); + } + if ((transc->ip_buf_entry->frame.virtual != frame->vcd_frm.virtual) || !transc->ip_buf_entry->in_use) {