Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp688965rwr; Thu, 4 May 2023 08:22:17 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7n1hcA1OcBiw1oCehvsJl0yydkAnf2717JTIV4jmB/wJYN1AReFHI8CZSywBaaN/e9OEVJ X-Received: by 2002:a17:90a:c217:b0:24e:1b19:867f with SMTP id e23-20020a17090ac21700b0024e1b19867fmr2528362pjt.37.1683213737368; Thu, 04 May 2023 08:22:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683213737; cv=none; d=google.com; s=arc-20160816; b=ghzzQXF36G2PJUTif8WOOgcRADUxcWgvuq4L3ioK8pMej3xHjB7lffTNXMQwjodEUG z54Mt3bqnGjhbBaD0gRizmM3s0lwgcMMlp5DFveVK2nPkKGWq0tKU0MvhOpg82bNYBGk bZoWcdCwG0ZUcSFcI9SnRnVYKGSNjmyRbB7ZGcUp9FD8tFucd2+bUnSCrwq4OBAYqkML EYwMt1DAr5hL4l2PBRCHVCxEnrbGX7hHiWTJpLH8S2utHgZmvRyQi5MJNmxVWUBOEpxy 5wb/pEvEfudN0bYvByWbOXDdaLP3BRYg9QTjnkMFaDRm2xAjj4qQv0kYgZYqugBPsBnJ z+kA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=rnwDUEwe85GnCKJ9lVNu2c2VUA2aLvH7Z3uX2Rvd+vQ=; b=ghRCbYoV2kMofMaE5EtYhD3S0PBWp1ebvr73CfR+OcWsqduKdSHtAXuw+7/cnZ6Mos N3PVDN/FxrS8WCgnA/pWQky94xUNn/kBKfOnFRoBVEwxOiogf6zGsEufgxC8ACs5FBNh dXzs+Cu/HGi5FNWHvr0yaSCMb4Glzq0eCGBN1lODURBTRYvekwZxUOzE8sNlfyaMmPD2 1wU3V+VrvA444AHZAOjz5cIaS9Vz0bHDZYNcyQRislJU3K+WrfNFdBVa3gXDvtn0JE9C sM6PqTMt37K4q26aHT0Ek5P0jGByMvhHvHhY8KDSevYLdyTTuU4tnZKVibfIPNMNzBQ/ 5oiw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q17-20020a635c11000000b0051909d663desi34162397pgb.481.2023.05.04.08.22.04; Thu, 04 May 2023 08:22:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231286AbjEDPLB (ORCPT + 99 others); Thu, 4 May 2023 11:11:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37146 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231251AbjEDPLA (ORCPT ); Thu, 4 May 2023 11:11:00 -0400 Received: from hust.edu.cn (unknown [202.114.0.240]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1CD613C29 for ; Thu, 4 May 2023 08:10:58 -0700 (PDT) Received: from [192.168.1.5] ([183.94.69.234]) (user=dzm91@hust.edu.cn mech=PLAIN bits=0) by mx1.hust.edu.cn with ESMTP id 344F9wQT006378-344F9wQU006378 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 4 May 2023 23:09:58 +0800 Message-ID: Date: Thu, 4 May 2023 23:09:53 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.9.1 Subject: Re: [PATCH] drivers: staging: greybus: fix GPF issue in gb_camera_capture To: Johan Hovold Cc: Alex Elder , Greg Kroah-Hartman , Jacopo Mondi , Laurent Pinchart , Greg Kroah-Hartman , greybus-dev@lists.linaro.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org References: <20230504135841.1566958-1-dzm91@hust.edu.cn> From: Dongliang Mu In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-FEAS-AUTH-USER: dzm91@hust.edu.cn X-Spam-Status: No, score=-6.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/4/23 PM10:54, Johan Hovold wrote: > On Thu, May 04, 2023 at 09:58:41PM +0800, Dongliang Mu wrote: >> In gb_camera_capture(), it does not check the value of settings >> before dereferencing it. And gb_camera_debugfs_capture calls >> gb_camera_capture with the 6th parameter settings as NULL. > Looks like you just broke gb_camera_debugfs_capture() which relies on > passing NULL as settings. Yes, just mentioned by Dan, this memcpy is intended with zero length and NULL src. Please ignore this patch. >> Fix this by checking the value of setting at the starting of >> gb_camera_capture. >> >> Fixes: 3265edaf0d70 ("greybus: Add driver for the camera class protocol") >> Signed-off-by: Dongliang Mu >> --- >> drivers/staging/greybus/camera.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/staging/greybus/camera.c b/drivers/staging/greybus/camera.c >> index cdbb42cd413b..5a4b26e7f645 100644 >> --- a/drivers/staging/greybus/camera.c >> +++ b/drivers/staging/greybus/camera.c >> @@ -659,7 +659,7 @@ static int gb_camera_capture(struct gb_camera *gcam, u32 request_id, >> size_t req_size; >> int ret; >> >> - if (settings_size > GB_CAMERA_MAX_SETTINGS_SIZE) >> + if (settings_size > GB_CAMERA_MAX_SETTINGS_SIZE || !settings) >> return -EINVAL; >> >> req_size = sizeof(*req) + settings_size; > Johan