5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Guo alexguo1023@gmail.com
[ Upstream commit ed0234c8458b3149f15e496b48a1c9874dd24a1b ]
In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash.
Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Signed-off-by: Alex Guo alexguo1023@gmail.com Link: https://lore.kernel.org/r/20250616013353.738790-1-alexguo1023@gmail.com Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/media/dvb-frontends/dib7000p.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/media/dvb-frontends/dib7000p.c +++ b/drivers/media/dvb-frontends/dib7000p.c @@ -2200,6 +2200,9 @@ static int w7090p_tuner_write_serpar(str u16 i = 1000; u16 serpar_num = msg[0].buf[0];
+ if (msg[0].len < 3) + return -EOPNOTSUPP; + while (n_overflow == 1 && i) { n_overflow = (dib7000p_read_word(state, 1984) >> 1) & 0x1; i--; @@ -2220,6 +2223,9 @@ static int w7090p_tuner_read_serpar(stru u16 serpar_num = msg[0].buf[0]; u16 read_word;
+ if (msg[0].len < 1 || msg[1].len < 2) + return -EOPNOTSUPP; + while (n_overflow == 1 && i) { n_overflow = (dib7000p_read_word(state, 1984) >> 1) & 0x1; i--;