Received: by 10.192.165.148 with SMTP id m20csp460492imm; Fri, 4 May 2018 00:31:40 -0700 (PDT) X-Google-Smtp-Source: AB8JxZq45KKYarhkgWvCTOyB1vX2CNgY7rUl34PYUp9/2LhPqXrhaXXMS16euthRf8ZbiGYXxV37 X-Received: by 2002:a65:52cc:: with SMTP id z12-v6mr21338917pgp.126.1525419100440; Fri, 04 May 2018 00:31:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525419100; cv=none; d=google.com; s=arc-20160816; b=FtgeY2XWc2aPW2Qjgtm1m90ywBTyRgbqPrmbesiaUYx10/2nwA2uDf10qiSS91nu99 8ucywik8KXY8ihWeCBFRdDB3BULRd2/zT//nGfD7JJ6dl+idCDb3/LMBRcA9domw7zgl A6P4yvz60hRnAFovnIl5XGt08ZbJdqGFO/PYKAAQa8d61GHMrqPwQ6M69NAgygRO3tx5 q+OGyU1VihpTSfw1NxYLVXMmZh5hhyULMa3uxokIomk4Vdh0UUrhO2f/lKYb9BNd+aPn 9UY/CqKRYB/gxKQnk/9NjSlxaTxmmM/mb87P6nEzd/ihcBVDioP1JeFxnZKm5/zXghIl mrlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=vJU7wT8TmwsHov8QGvNfKF1uH9LP9F5RriE8NKxM/os=; b=XjEq41yjJ2dN502XdG989Z+K0g2++jARJG9UmAabDRTmiy+Fh192FUEVc7x1qtzjQl P8zNlb8hg9M7WmP0ctp1qVOH5L5bBGXoyHOQMynvI+mr5A5fJmwDcxGW6af5VzWVJqiR 86SdmGCAfYOw3MKE2JzI1k47bfWnsCrm1f1GMOujVj6R3Y81lLnVXzcBERUZu+LW8QLO r8csdlsO/0q5r+7r0j4ocHl46kNAPjMlnk2FZaxKf/tNuW8OJ17Tzjy5tKmoiIXWgMvj ebe/lXa92Pc6c9aXSzUaUaxc90sK85teHKTm60TltRTMinf3M+1XHkp62ftj6EFlEsP1 2hmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=I/MKawXf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m2-v6si14880153plt.55.2018.05.04.00.31.26; Fri, 04 May 2018 00:31:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=I/MKawXf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751563AbeEDHaG (ORCPT + 99 others); Fri, 4 May 2018 03:30:06 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:58800 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751278AbeEDHaE (ORCPT ); Fri, 4 May 2018 03:30:04 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id AE971B0A for ; Fri, 4 May 2018 07:30:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EZbTzNJ0UsOV for ; Fri, 4 May 2018 02:30:03 -0500 (CDT) Received: from mail-it0-f72.google.com (mail-it0-f72.google.com [209.85.214.72]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 7685FA8A for ; Fri, 4 May 2018 02:30:03 -0500 (CDT) Received: by mail-it0-f72.google.com with SMTP id o143-v6so1618390itg.9 for ; Fri, 04 May 2018 00:30:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=vJU7wT8TmwsHov8QGvNfKF1uH9LP9F5RriE8NKxM/os=; b=I/MKawXf4TBihjL2tU14AYneXP0+AIM4tYAuGe6bxJYgl8mG2b0MEHrPRn1idZ1mgO PtwvO3yBgL8vLFIFcXmCG+QwleE8m+yiOmtnlu6DfqKpXDp1Dv5lPLIheMWO09Y8a1oo Tj+DmTdpVUdYIRSAAcCssV/kdUnjoJ1/Wf9PFY8ex0a3MawaSC/rFzV/XI0sQZZMF3CL pQnp8yvQFMhDZbu5Om5XHYXp04MfbAIe7HhVMzAvxWREeqbGcEmnTyUv3OI/BbnTS1yF BiAqW1aYY2tW+sk8WvjvsHBdyVaIlqfkvT3rCEdSniqeb6J/qTEROttbqOLORBs7uo3e e3MA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=vJU7wT8TmwsHov8QGvNfKF1uH9LP9F5RriE8NKxM/os=; b=IlX6MFjJQoyT2mGUxAjS899QEFUBVaWwa2W+4twi+ly8kXsCT/dUjYqxItLTrTPAhb rkXq6gCJJLp0OrDsfEhiqomY4CkTdpMH0TfSOSJ8nC1vLqRzMOU8XM2s5RcqQwnJ/aFU RHFnBDnPcKJWvkG5hHVSJqm79Ab5dOye7JPlJebhpECJdixso0beDFZjhyjcCjza1Ioh WS0rw6HRC4pvYFkn0LuoihHSu5eXza3xjgk11fBOgvFy4iX3vsG/D5oQdcrfwONXXzYr sezSGpgfIu2duEkvwn9dQooiGo/q2XncAncfrQg5RXmCZ5QmD1MhSLaJEQw3pj52NFII L9FQ== X-Gm-Message-State: ALQs6tAVDH8wV2lzMk296hJ4fh9IrXmaUdnQpBD64QB5eN1YY+zpYTQ1 gTc/e8OZlcxPZJifELPJSKTVhLStzlkE+FVMo1BrSNTi9l6wqNetvzENO2U3qRV8ijsqLydBbqw XHQkKz0h5/f550FF21soG07ViRn/u X-Received: by 2002:a24:97c4:: with SMTP id k187-v6mr13629462ite.115.1525419003175; Fri, 04 May 2018 00:30:03 -0700 (PDT) X-Received: by 2002:a24:97c4:: with SMTP id k187-v6mr13629450ite.115.1525419002986; Fri, 04 May 2018 00:30:02 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id k62-v6sm6744455ioo.23.2018.05.04.00.30.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 04 May 2018 00:30:02 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Alan Cox , Sakari Ailus , Mauro Carvalho Chehab , Greg Kroah-Hartman , Andy Shevchenko , Hans Verkuil , linux-media@vger.kernel.org (open list:STAGING - ATOMISP DRIVER), devel@driverdev.osuosl.org (open list:STAGING SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] media: staging: atomisp: fix a potential missing-check bug Date: Fri, 4 May 2018 02:29:54 -0500 Message-Id: <1525418996-19246-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org At the end of atomisp_subdev_set_selection(), the function atomisp_subdev_get_rect() is invoked to get the pointer to v4l2_rect. Since this function may return a NULL pointer, it is firstly invoked to check the returned pointer. If the returned pointer is not NULL, then the function is invoked again to obtain the pointer and the memory content at the location of the returned pointer is copied to the memory location of r. In most cases, the pointers returned by the two invocations are same. However, given that the pointer returned by the function atomisp_subdev_get_rect() is not a constant, it is possible that the two invocations return two different pointers. For example, another thread may race to modify the related pointers during the two invocations. In that case, even if the first returned pointer is not null, the second returned pointer might be null, which will cause issues such as null pointer dereference. This patch saves the pointer returned by the first invocation and removes the second invocation. If the returned pointer is not NULL, the memory content is copied according to the original code. Signed-off-by: Wenwen Wang --- drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c index 49a9973..d5fa513 100644 --- a/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c +++ b/drivers/staging/media/atomisp/pci/atomisp2/atomisp_subdev.c @@ -366,6 +366,7 @@ int atomisp_subdev_set_selection(struct v4l2_subdev *sd, unsigned int i; unsigned int padding_w = pad_w; unsigned int padding_h = pad_h; + struct v4l2_rect *p; stream_id = atomisp_source_pad_to_stream_id(isp_sd, vdev_pad); @@ -536,9 +537,10 @@ int atomisp_subdev_set_selection(struct v4l2_subdev *sd, ffmt[pad]->height = comp[pad]->height; } - if (!atomisp_subdev_get_rect(sd, cfg, which, pad, target)) + p = atomisp_subdev_get_rect(sd, cfg, which, pad, target); + if (!p) return -EINVAL; - *r = *atomisp_subdev_get_rect(sd, cfg, which, pad, target); + *r = *p; dev_dbg(isp->dev, "sel actual: l %d t %d w %d h %d\n", r->left, r->top, r->width, r->height); -- 2.7.4