Received: by 10.192.165.148 with SMTP id m20csp1170573imm; Wed, 2 May 2018 15:40:39 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrbJ/EyeGKMWAgEM7iVfwZtq2O36uOdbZvxxkTUrvRznFq2VIpK15OQEg02FqD1u63SZRPF X-Received: by 2002:a17:902:22cc:: with SMTP id o12-v6mr22362266plg.38.1525300839834; Wed, 02 May 2018 15:40:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525300839; cv=none; d=google.com; s=arc-20160816; b=vzU7ZwZB9QxstnC/hjPRYvB+iDkrOUUZrajdB4XG9JN2DsAxXK82egxvUGVg3rAFmH yiqg/ZTt0d9Yp9DcqznZ8wJT2E4QTapCi8WfrrRtyBzevhEnVWPxUYPdCWQhrfUF1Ju5 lzwpQQdKFDiDGMnobxrCTtWpH9O7IodumdFU6Yve2D4/E6KBr7hb1RPnBwP4e3iqvuPJ Cmj2cLpAemGV0W5zkcnYdQXEFPl3hFIIQzMh1lE/1FSJnfXjE8/FLoPW/bYpTd7OIBk0 qr4pv7vDCL1om+6+EwyOG7wDEX2fY+1RdCZ67ziYyeWHlpnHZBIfR5U6c6kumKlq53V9 pfwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=vJU7wT8TmwsHov8QGvNfKF1uH9LP9F5RriE8NKxM/os=; b=A3P49yzkVMCLOlIusA95JvPEhZsYOve4YoBQwTmAWbr20xHgz8H7cGjAnz7CyhmWLo s7o9ZW+sggsy7VjC46e6RGyNaOEIEx1vH+FAY1tDazO7OoHLjr4qyGF/2RpPExVbWZ70 V4IGwIUhO53j1wK1ycLQoD/p65ozW+pdFvHNThEYTmf7ndOPY7Ga55G2X6azm1s+LXWe 3rEdknGwTlobOeyMvA+6Vp9C8oNDCcGXqJHLve+5qo9v9zsxvbEMhRfUNPyFSCQruVvD mKapOGhuMxqhAF3e77+Z7pqXXTkNMOQJD47sln8xE1lKery3GAGg8dZhGeiMxEy5cFuw dmLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=iyRM2B2b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x7si12561363pfk.311.2018.05.02.15.40.25; Wed, 02 May 2018 15:40:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=iyRM2B2b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751732AbeEBWjA (ORCPT + 99 others); Wed, 2 May 2018 18:39:00 -0400 Received: from mta-p8.oit.umn.edu ([134.84.196.208]:33888 "EHLO mta-p8.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751354AbeEBWi7 (ORCPT ); Wed, 2 May 2018 18:38:59 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id A3FF6622 for ; Wed, 2 May 2018 22:38:58 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EgXuXEQHAoUX for ; Wed, 2 May 2018 17:38:58 -0500 (CDT) Received: from mail-io0-f197.google.com (mail-io0-f197.google.com [209.85.223.197]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 75AAB66B for ; Wed, 2 May 2018 17:38:58 -0500 (CDT) Received: by mail-io0-f197.google.com with SMTP id s2-v6so8483925ioa.22 for ; Wed, 02 May 2018 15:38:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=vJU7wT8TmwsHov8QGvNfKF1uH9LP9F5RriE8NKxM/os=; b=iyRM2B2bHVAI7Ii8Cdv8E6ubpasi46O5ngYMtSQ08cf7c92F1Frnq07fR+CPya9qQ1 DsPETzulgO12YEWld4FqxmPoAmgrZXeat8aAyZgdvzYbxKGDjCkIu6d4cWa0Giwi6BZ/ 5O5JYNkuYsMhLS5ik1/R0N2RHBXk2SzPo9kJ5cOr5V0MUQ9SGpAbIPJqMPwVS1Zdozr6 wHXqRR1R6a0EzOxi09euRPmDHPLqm2HE13CP+bF3JXgsr7jsLrTU2YgYqnWIMSqv1Sso DJB3DpiBzVr3lNMqxqMSBL8W88fY1JQnZfEOHa38OLtNLmLOeXXBqdnsZNngY4LDRIbz MzQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=vJU7wT8TmwsHov8QGvNfKF1uH9LP9F5RriE8NKxM/os=; b=He4OXNgvUnVVcK2LqRhYIHfoQS/aQdMOx3CURJnWiVM3q6KbGN3l8W/hHoBt/V4tWg tYAm2W0U4z77rzWdhCt6lzO2rtiiH3Blx4zBcaPf2aW3WQxIbTbEQNj9ts/J6tg6atD1 enobYzR6mMB9qktvvUM4GhdSJGpcII1p7DfQmyXzbMaREDzEqhfIhwurnKnDvh9ZXBNF vv8elfZy9RWpVbO18faxWO0K6fmIMpZ50c8kV18u8VMwpbXCVGDZ5aaodYZnsY1bvS4E 8nuPS8GSmv9b2YoZsOge0Pjv6XVLkzwn+l/3aY6/mNDfvF/gHLC1SGaPxixQuDzZ71nD rHrA== X-Gm-Message-State: ALQs6tBlk/13IxshnwXj2uAAA01GESDAgkczBP2pTkNpKvfXRxiY4gyA +06ONMCdul/yTSdBo1E+Z3uBVYDCMHIFGtkmzmlkZidI6WHeX5vPJuLg820DhbDyW6kaQHcsm6y dCnwfWvhgiAmj+cYXVXnosf2USHoz X-Received: by 2002:a24:fa4b:: with SMTP id v72-v6mr21625823ith.148.1525300738173; Wed, 02 May 2018 15:38:58 -0700 (PDT) X-Received: by 2002:a24:fa4b:: with SMTP id v72-v6mr21625810ith.148.1525300738000; Wed, 02 May 2018 15:38:58 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id w12-v6sm376135iow.76.2018.05.02.15.38.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 02 May 2018 15:38:57 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Alan Cox , Sakari Ailus , Mauro Carvalho Chehab , Greg Kroah-Hartman , Andy Shevchenko , Hans Verkuil , linux-media@vger.kernel.org (open list:STAGING - ATOMISP DRIVER), devel@driverdev.osuosl.org (open list:STAGING SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] media: staging: atomisp: fix a potential missing-check bug Date: Wed, 2 May 2018 17:38:49 -0500 Message-Id: <1525300731-27324-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org At the end of atomisp_subdev_set_selection(), the function atomisp_subdev_get_rect() is invoked to get the pointer to v4l2_rect. Since this function may return a NULL pointer, it is firstly invoked to check the returned pointer. If the returned pointer is not NULL, then the function is invoked again to obtain the pointer and the memory content at the location of the returned pointer is copied to the memory location of r. In most cases, the pointers returned by the two invocations are same. However, given that the pointer returned by the function atomisp_subdev_get_rect() is not a constant, it is possible that the two invocations return two different pointers. For example, another thread may race to modify the related pointers during the two invocations. In that case, even if the first returned pointer is not null, the second returned pointer might be null, which will cause issues such as null pointer dereference. This patch saves the pointer returned by the first invocation and removes the second invocation. If the returned pointer is not NULL, the memory content is copied according to the original code. Signed-off-by: Wenwen Wang --- drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c index 49a9973..d5fa513 100644 --- a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c +++ b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c @@ -366,6 +366,7 @@ int atomisp_subdev_set_selection(struct v4l2_subdev *sd, unsigned int i; unsigned int padding_w = pad_w; unsigned int padding_h = pad_h; + struct v4l2_rect *p; stream_id = atomisp_source_pad_to_stream_id(isp_sd, vdev_pad); @@ -536,9 +537,10 @@ int atomisp_subdev_set_selection(struct v4l2_subdev *sd, ffmt[pad]->height = comp[pad]->height; } - if (!atomisp_subdev_get_rect(sd, cfg, which, pad, target)) + p = atomisp_subdev_get_rect(sd, cfg, which, pad, target); + if (!p) return -EINVAL; - *r = *atomisp_subdev_get_rect(sd, cfg, which, pad, target); + *r = *p; dev_dbg(isp->dev, "sel actual: l %d t %d w %d h %d\n", r->left, r->top, r->width, r->height); -- 2.7.4