Skip to content

Commit 7ca4ba2

Browse files
SinkFindergregkh
SinkFinder
authored and
gregkh
committed
cx25840: fix unchecked return values
[ Upstream commit 35378ce143071c2a6bad4b59a000e9b9f8f6ea67 ] In functions cx25840_initialize(), cx231xx_initialize(), and cx23885_initialize(), the return value of create_singlethread_workqueue() is used without validation. This may result in NULL dereference and cause kernel crash. This patch fixes it. Signed-off-by: Pan Bian <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent 7860df1 commit 7ca4ba2

File tree

1 file changed

+21
-15
lines changed

1 file changed

+21
-15
lines changed

drivers/media/i2c/cx25840/cx25840-core.c

+21-15
Original file line numberDiff line numberDiff line change
@@ -420,11 +420,13 @@ static void cx25840_initialize(struct i2c_client *client)
420420
INIT_WORK(&state->fw_work, cx25840_work_handler);
421421
init_waitqueue_head(&state->fw_wait);
422422
q = create_singlethread_workqueue("cx25840_fw");
423-
prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
424-
queue_work(q, &state->fw_work);
425-
schedule();
426-
finish_wait(&state->fw_wait, &wait);
427-
destroy_workqueue(q);
423+
if (q) {
424+
prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
425+
queue_work(q, &state->fw_work);
426+
schedule();
427+
finish_wait(&state->fw_wait, &wait);
428+
destroy_workqueue(q);
429+
}
428430

429431
/* 6. */
430432
cx25840_write(client, 0x115, 0x8c);
@@ -631,11 +633,13 @@ static void cx23885_initialize(struct i2c_client *client)
631633
INIT_WORK(&state->fw_work, cx25840_work_handler);
632634
init_waitqueue_head(&state->fw_wait);
633635
q = create_singlethread_workqueue("cx25840_fw");
634-
prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
635-
queue_work(q, &state->fw_work);
636-
schedule();
637-
finish_wait(&state->fw_wait, &wait);
638-
destroy_workqueue(q);
636+
if (q) {
637+
prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
638+
queue_work(q, &state->fw_work);
639+
schedule();
640+
finish_wait(&state->fw_wait, &wait);
641+
destroy_workqueue(q);
642+
}
639643

640644
/* Call the cx23888 specific std setup func, we no longer rely on
641645
* the generic cx24840 func.
@@ -746,11 +750,13 @@ static void cx231xx_initialize(struct i2c_client *client)
746750
INIT_WORK(&state->fw_work, cx25840_work_handler);
747751
init_waitqueue_head(&state->fw_wait);
748752
q = create_singlethread_workqueue("cx25840_fw");
749-
prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
750-
queue_work(q, &state->fw_work);
751-
schedule();
752-
finish_wait(&state->fw_wait, &wait);
753-
destroy_workqueue(q);
753+
if (q) {
754+
prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE);
755+
queue_work(q, &state->fw_work);
756+
schedule();
757+
finish_wait(&state->fw_wait, &wait);
758+
destroy_workqueue(q);
759+
}
754760

755761
cx25840_std_setup(client);
756762

0 commit comments

Comments
 (0)