Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp829094imm; Wed, 25 Jul 2018 06:58:52 -0700 (PDT) X-Google-Smtp-Source: AAOMgpd0NtzoVrSUCiifgT8lg3Yna0QTcziDHX+K39dXQSWYwiFa1n1Qh9P5Z1igIwp/Y0O3tcr+ X-Received: by 2002:a63:fa18:: with SMTP id y24-v6mr9355493pgh.362.1532527132864; Wed, 25 Jul 2018 06:58:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532527132; cv=none; d=google.com; s=arc-20160816; b=WZAe4HPsw7a7c7qYGOIUksM1Rw/QuFfPOf7fjLQ8/g1ZUM+gnRFks+oP9DEz5IuEvm YOqAonnovmhxrmOLQa6lkFXCVqMvFceUfHO8ypP0naluobweGQPEVQLovi/UX425x22p aLWwbzC07GyMeieZR5fx9jNkkfBzh/2o35K2O6eyrlJJ2oXs8YgGydFM66mveQkcQC+3 6pwLnUsUSVeb+ZMuXVasEnzvb/FFEwP6MJOTXGbzHGE9w1zUAbKkgUagBCVIlrxcmP5W oQ95KD/n851qzx9GpSxw2sVXFfe7xE1mj+/g9/KWiAYmaczFUM4R2W42gfGZ9TQvSS98 mIyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature:arc-authentication-results; bh=gSEPg1+zrsXZZPg4TfZPOZaPqDwvkvFVMHHHD6bgDng=; b=piIhscgdz2EA+bdwMYlO53x51CxlbIk15wWVh778cO5K2eyQJgFpV/XhuyBkr1M9Gl vsuNI6Aan9/xzpRKZQF14wOF+6SBS2XnOWsXwU3AiqG91yAos1oa95ixN+AQ4RgPOd+v 5xmac+/+jMRD0hdiDtc4In8jbGHn5wzqBy018EGQI5X0Gmp30svk8hFt1A6RiInXYJUq ApY4yKkpjCJyPMzmQ7zUDGp0JFnKuWs7UkNLZxiKz9IufJZGsCs5h+ZLIcNFSAfhrE3w JKqg6pv1E6V7lUPd5YItfVuGxcszVzBZieQhVMHowtt45ecIn+4Q4g9JBWxKl2nmIdZv G2/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=rfyflpKS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o6-v6si11794594pgp.631.2018.07.25.06.58.37; Wed, 25 Jul 2018 06:58:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=rfyflpKS; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729118AbeGYPIy (ORCPT + 99 others); Wed, 25 Jul 2018 11:08:54 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:48356 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727504AbeGYPIy (ORCPT ); Wed, 25 Jul 2018 11:08:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding: Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject:Cc:To: From:Date:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=gSEPg1+zrsXZZPg4TfZPOZaPqDwvkvFVMHHHD6bgDng=; b=rfyflpKSSwsNlR24hBdnOgHLV GRE791sWSduPbCPf2eHYJjkYuWB/jNz9rjIiV23lG680ZvzEZ7osrp0UhgssYvkyBozD/fkfiUWLc G8sx+OeCqP/PgvSVhbqtPGaKyh5jZUB/QEzKAM1TnYwPW6gjjK9FIXMCkO+NKLHSM56JkbjD8cmSm C4lcbvDarsdFAOK9LHtBOxoUwUHUhRezHxQ+wIb51RnJFJX6HFIIuMqLU1F9eKGKYsPAWpOm2vZYU Fugs+CAqH5PRZgjYs89aA/PJCB2WLJnUfBCrEQoSzB7r/GgX/iDdYnSSgBmKFvonD58i8H4DWsHWI T43buP6tg==; Received: from [179.95.19.99] (helo=coco.lan) by bombadil.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1fiKHq-0006z7-09; Wed, 25 Jul 2018 13:57:06 +0000 Date: Wed, 25 Jul 2018 10:57:01 -0300 From: Mauro Carvalho Chehab To: Akihiro TSUKADA Cc: Colin Ian King , linux-media@vger.kernel.org, Antti Palosaari , "linux-kernel@vger.kernel.org" , mika.batsman@gmail.com Subject: Re: media: dvb-usb-v2/gl861: ensure USB message buffers DMA'able Message-ID: <20180725105701.4f3b429b@coco.lan> In-Reply-To: References: <8308d9f0-2257-101c-69e3-8fe165de9348@canonical.com> X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Em Tue, 3 Jul 2018 21:07:07 +0900 Akihiro TSUKADA escreveu: > Hi, > thanks for the report. > > > 47 buf = NULL; > > > > Condition rlen > 0, taking false branch. > > > > 48 if (rlen > 0) { > > 49 buf = kmalloc(rlen, GFP_KERNEL); > > 50 if (!buf) > > 51 return -ENOMEM; > > 52 } > > > > 53 usleep_range(1000, 2000); /* avoid I2C errors */ > > 54 > > CID 1470241 (#1 of 1): Explicit null dereferenced (FORWARD_NULL). > > var_deref_model: Passing null pointer buf to usb_control_msg, which > > dereferences it. > > > > 55 ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), > > req, type, > > 56 value, index, buf, rlen, 2000); > > > > > > The assignment of buf = NULL means a null buffer is passed down the usb > > control message stack until it eventually gets dereferenced. This only > > occurs when rlen <= 0. I was unsure how to fix this for the case when > > rlen <= 0, so I am flagging this up as an issue that needs fixing. > > > > Since rlen is an u16, null pointer is passed only when rlen == 0, > so I think it is not a problem, > but I am OK to add a guard in order to make scan result clean. There was another patch proposed to fix this issue with does the right thing when rlen == 0. I rebased it on the top of the current tree: https://git.linuxtv.org/media_tree.git/commit/?id=0b666e1c8120c0b17a8a68aaed58e22011f06ab3 That should cover both cases. Thanks, Mauro