Received: by 10.192.165.148 with SMTP id m20csp2234222imm; Sat, 28 Apr 2018 16:05:00 -0700 (PDT) X-Google-Smtp-Source: AB8JxZquoXgSaOH0oSSrBkrb0cm7rVLJK8PRv4va8hpz7JqbX20XFBVaeZW1dvEwsV3A9fNnaNhJ X-Received: by 2002:a65:414d:: with SMTP id x13-v6mr6344863pgp.223.1524956700318; Sat, 28 Apr 2018 16:05:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524956700; cv=none; d=google.com; s=arc-20160816; b=u68pwWekMLA7QU1vYy8PYWb3ig1WbL9jLN+dOmK/thSsNVU8kb/c5NMdBoVK9D2Csq bP6U9RBc1/13xurzkQtHyW0nFkYEFnhaD5G7HscDoN60e4DP391v1rCiGYIzRK7qbSgo BE1SE2NFgRjgk/5Wbvwz3DS86SIv8QSnrpROycwVnLSkPGl1cqOqSbGmjDBgUxh0R4T6 za2gLLiF+EElYo7WW0QfB0zrUvCQvsTw3GmfwHF2a2ldk9xZDlE1WHG1y/u12P0j/F7g Ke5yaB543hz157Th2RLERfZfM1r7MrJLS2vMIjckvedRzFM4dNvPx4riCgQQDrcprkCM RrBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=vJU7wT8TmwsHov8QGvNfKF1uH9LP9F5RriE8NKxM/os=; b=mO62c3yFK43FKNSCzdyyARbT/ihqy/c+p8Je0fzbYx8Eac681jvFAm+C4BhRnv7TSg RQWqmlVylgBMlhi97fAfkHScKLIGG+U7QgV+wtuMJaOtOBU4N2yGJOYTfOJnX2brxt6B IWjxtr9FJ0bMFimtRc47AonZfr90XAWMIzzb2ue2R33nOeL0mmqcBsWM1UpoNxylJkAY 7zrdRvZVNhQHuqBKpW1TphswHcYgWp2WL3p3JL53Fv7AUfTJTN0y0rGDEOJz0oZM0iEp D5ePHFSq8/RrNOlKRQ4xZCrFGLeRemcvlmExdCOvS60KzylYPpoQjo0ANT5nf8D32oQX c2+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=MKc6BT/h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s1-v6si4330091plr.458.2018.04.28.16.04.46; Sat, 28 Apr 2018 16:05:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=MKc6BT/h; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752706AbeD1XDH (ORCPT + 99 others); Sat, 28 Apr 2018 19:03:07 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:37800 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752502AbeD1XDF (ORCPT ); Sat, 28 Apr 2018 19:03:05 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 070849C2 for ; Sat, 28 Apr 2018 23:03:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dGnWJqi08SEc for ; Sat, 28 Apr 2018 18:03:04 -0500 (CDT) Received: from mail-it0-f72.google.com (mail-it0-f72.google.com [209.85.214.72]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id D01249B0 for ; Sat, 28 Apr 2018 18:03:04 -0500 (CDT) Received: by mail-it0-f72.google.com with SMTP id 6-v6so4559307itl.6 for ; Sat, 28 Apr 2018 16:03:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=vJU7wT8TmwsHov8QGvNfKF1uH9LP9F5RriE8NKxM/os=; b=MKc6BT/hw6H7xmevXw2AQv7u5MSeH9FXWU6Roem6jxBfe4Frqyjf35PSOLKOaAcC23 2d3qS31TWGny6Q3z1atFvTn0OTYd3rydRNOLSjcnGl6q1BqO5Q38CmXhHJ0VJ/Lm2iIz 9qxwQmaIULZeCPm5GXQCEVTzSwn3fL/H3Q/UpcvPOd6yaWUcH5XsPa7dFFuu2xWwim/D lTRRl2/f18QW/45BjrhWdcgIfaQfzpzSDHOlVlnAOP5m5hx6bSjNZUlK8AY/KUuZTZSE Ny7MDBT1ZiFmCvIcVhfCJ9Po00hv6peFdaVRcq/ovdFbu65xloaj9lwGrWObsGXgovvD hg0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=vJU7wT8TmwsHov8QGvNfKF1uH9LP9F5RriE8NKxM/os=; b=pvSyCViDm2jyg+6ym0ko2rvdOzryQiC1wCCF3TFCViC3gnggaVmRjrjw3/uJ2RIanD 46wEa6tqTIzk7OA+NG+AlCKy49H/ziUpkTuEhJJlBmTW3qjHINCDzBv2DJ/uKR+VNX/S tySqmhLfKhF4Uc1tWXS/q9yvd4VMDFf7j50r531R0Fr9eMt/vThVPut0ZfEH+c7EdtEx ABcGBNGsgne4CCAQ+ALhYK4+z+C594h82ogIPZi8EVKVvu0HbA4IBrJGdxnw/OjOuBeo eY8+JFLgq9W3Ld+P1WBv2tIjP3wdlHhTOeAsFK5YOMpTGp1+F36xFcJBQxnsqUhqRtW1 SjzQ== X-Gm-Message-State: ALQs6tAPXdNxt5/muLFwT8uhBsU3Ssz3sOBQHxMwDRq6zrTb/HBHiD0C 5PB4NtTcd3lMUL6+418AjYV30jt9jRMM+CSZIzS0/7HyVc9WV2dtx/u8swAPCeanykFG2q6ngnO M8NDcoLfyKCimNHxUp86vns8SG89U X-Received: by 2002:a24:35cd:: with SMTP id k196-v6mr7278320ita.98.1524956584499; Sat, 28 Apr 2018 16:03:04 -0700 (PDT) X-Received: by 2002:a24:35cd:: with SMTP id k196-v6mr7278307ita.98.1524956584328; Sat, 28 Apr 2018 16:03:04 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id e18-v6sm2046616itc.3.2018.04.28.16.03.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 28 Apr 2018 16:03:03 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Alan Cox , Sakari Ailus , Mauro Carvalho Chehab , Greg Kroah-Hartman , Andy Shevchenko , Hans Verkuil , linux-media@vger.kernel.org (open list:STAGING - ATOMISP DRIVER), devel@driverdev.osuosl.org (open list:STAGING SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] media: staging: atomisp: fix a potential missing-check bug Date: Sat, 28 Apr 2018 18:02:31 -0500 Message-Id: <1524956553-20678-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org At the end of atomisp_subdev_set_selection(), the function atomisp_subdev_get_rect() is invoked to get the pointer to v4l2_rect. Since this function may return a NULL pointer, it is firstly invoked to check the returned pointer. If the returned pointer is not NULL, then the function is invoked again to obtain the pointer and the memory content at the location of the returned pointer is copied to the memory location of r. In most cases, the pointers returned by the two invocations are same. However, given that the pointer returned by the function atomisp_subdev_get_rect() is not a constant, it is possible that the two invocations return two different pointers. For example, another thread may race to modify the related pointers during the two invocations. In that case, even if the first returned pointer is not null, the second returned pointer might be null, which will cause issues such as null pointer dereference. This patch saves the pointer returned by the first invocation and removes the second invocation. If the returned pointer is not NULL, the memory content is copied according to the original code. Signed-off-by: Wenwen Wang --- drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c index 49a9973..d5fa513 100644 --- a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c +++ b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c @@ -366,6 +366,7 @@ int atomisp_subdev_set_selection(struct v4l2_subdev *sd, unsigned int i; unsigned int padding_w = pad_w; unsigned int padding_h = pad_h; + struct v4l2_rect *p; stream_id = atomisp_source_pad_to_stream_id(isp_sd, vdev_pad); @@ -536,9 +537,10 @@ int atomisp_subdev_set_selection(struct v4l2_subdev *sd, ffmt[pad]->height = comp[pad]->height; } - if (!atomisp_subdev_get_rect(sd, cfg, which, pad, target)) + p = atomisp_subdev_get_rect(sd, cfg, which, pad, target); + if (!p) return -EINVAL; - *r = *atomisp_subdev_get_rect(sd, cfg, which, pad, target); + *r = *p; dev_dbg(isp->dev, "sel actual: l %d t %d w %d h %d\n", r->left, r->top, r->width, r->height); -- 2.7.4