From patchwork Tue Nov 30 15:50:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ricardo Ribalda X-Patchwork-Id: 517324 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D347C43217 for ; Tue, 30 Nov 2021 15:53:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240633AbhK3P43 (ORCPT ); Tue, 30 Nov 2021 10:56:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47036 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242156AbhK3Pxx (ORCPT ); Tue, 30 Nov 2021 10:53:53 -0500 Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DEAE5C06175C for ; Tue, 30 Nov 2021 07:50:29 -0800 (PST) Received: by mail-wr1-x42f.google.com with SMTP id l16so45425143wrp.11 for ; Tue, 30 Nov 2021 07:50:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=cdAKuIWGNHoXcj5qxrDRO1k6wk3YEeV2N3wFRBB2HSM=; b=aazx5vnOse7eotqB3rGEhhHWQGGbIsoW6LYwigU2Jzu6JyGuU/HAOhnS6eneQsMmf+ F9BqwPpACwW7zHXMHcnmnUF8KEZhvSU9AzZw+A1OGW7gaoAgx7gMJ/J7qdSpeoylnIGq ZS2nerjzcDJO3793TmRYGKGSQXfOpeLIhO6gI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=cdAKuIWGNHoXcj5qxrDRO1k6wk3YEeV2N3wFRBB2HSM=; b=nkFM+MY3JB3bZcTEi7m5jtTOa7qY7vilEAaESr/BWAIqPRE1M8CZyw83m0xBhFNBC/ 6jjlaZXt3qM0C+Xhh19JOCSubVI/qMhoCa2535BZb32N9koIUASz/f7E5TN3JvG3sFkw QQsGkSOI5L2x1aNUzP95pjOXHtjkDXC6PJ2c4oTC7dx5YM7eslRqT31aIeXweQVtg8Vi nT760IyG8hJNa6a/Q7zxQeHlf8XQAr83qwtsyElYzzdHGvPOYzsmsKBhjYm32TVLbTDp bFXLQXV9Xftg/KZWDZXz0cGQ7Q1W1OktQEvKDWmNE/z1S1ddtHJFJQpC3KHpLLhculvA DGMQ== X-Gm-Message-State: AOAM532EvcEllCNxwRlVA85rxslepga/PhJ76q51lA2ctfzXt9ZtPJRx qWBUY06Qbk73fuHAnRpnDMgRFA== X-Google-Smtp-Source: ABdhPJw6JIVKeN0h68i03hrGw2p9Pk3fp+RhWJJoGq7Ge9YNqJ9cpKKukLholnCK4mcC1hbSXDdDwQ== X-Received: by 2002:a5d:6acc:: with SMTP id u12mr41255573wrw.628.1638287428569; Tue, 30 Nov 2021 07:50:28 -0800 (PST) Received: from beni.c.googlers.com.com (216.131.76.34.bc.googleusercontent.com. [34.76.131.216]) by smtp.gmail.com with ESMTPSA id b13sm13555207wrh.32.2021.11.30.07.50.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 07:50:28 -0800 (PST) From: Ricardo Ribalda To: Laurent Pinchart , Mauro Carvalho Chehab , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Ricardo Ribalda Subject: [PATCH 1/2] media: uvcvideo: Avoid invalid memory access Date: Tue, 30 Nov 2021 15:50:25 +0000 Message-Id: <20211130155026.1082594-1-ribalda@chromium.org> X-Mailer: git-send-email 2.34.0.384.gca35af8252-goog MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org If mappings points to an invalid memory, we will be invalid accessing it. Solve it by initializing the value of the variable mapping and by changing the order in the conditional statement (to avoid accessing mapping->id if not needed). Fix: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI Fixes: 6350d6a4ed487 ("media: uvcvideo: Set error_idx during ctrl_commit errors") Signed-off-by: Ricardo Ribalda Reviewed-by: Laurent Pinchart --- drivers/media/usb/uvc/uvc_ctrl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index 30bfe9069a1fb..f7b7add3cfa59 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -852,8 +852,8 @@ static void __uvc_find_control(struct uvc_entity *entity, u32 v4l2_id, return; } - if ((*mapping == NULL || (*mapping)->id > map->id) && - (map->id > v4l2_id) && next) { + if (next && (map->id > v4l2_id) && + (*mapping == NULL || (*mapping)->id > map->id)) { *control = ctrl; *mapping = map; } @@ -1638,7 +1638,7 @@ static int uvc_ctrl_find_ctrl_idx(struct uvc_entity *entity, struct v4l2_ext_controls *ctrls, struct uvc_control *uvc_control) { - struct uvc_control_mapping *mapping; + struct uvc_control_mapping *mapping = NULL; struct uvc_control *ctrl_found; unsigned int i; From patchwork Tue Nov 30 15:50:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ricardo Ribalda X-Patchwork-Id: 519499 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7175C433FE for ; Tue, 30 Nov 2021 15:53:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234815AbhK3P4b (ORCPT ); Tue, 30 Nov 2021 10:56:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47050 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242231AbhK3Pxz (ORCPT ); Tue, 30 Nov 2021 10:53:55 -0500 Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A2D1C06175E for ; Tue, 30 Nov 2021 07:50:30 -0800 (PST) Received: by mail-wr1-x434.google.com with SMTP id v11so45429001wrw.10 for ; Tue, 30 Nov 2021 07:50:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Ki71kgvDOv0KGrYuXh0nHXTuZUrKgQ/CTTcYFqAyUsg=; b=lKji71Xs/8y5DfDD7PvnNCgKeBARF8EgY+YS1H2YceR9q5672S7Evr8JOpkPbNUNjA 8CR5t6tcqubqke4qPHKx0XB1mKgNSBfzZn3VE1UDfU+ktWacb2/q0IgfClvO50Fhx0l2 FkRgnbMQnHw/SC3mQPHUraxkxtvQyuWhJtq1M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Ki71kgvDOv0KGrYuXh0nHXTuZUrKgQ/CTTcYFqAyUsg=; b=0UhtZcjAeU8N+5HkwgzNd7llTujA3DfLEmOcbMx1ffXoXgVk10Ug4Vi56P+IjoqlvI p/xv7IwBXSFpyOtHz4x0GJu/Aw7jXygCiiPoyXK3Nked5LRO3kR34zM10XWGhX3TcPJ3 N8iaxNO06/FO6t5L7K1OrI80iy7t/m1Q75JXm3BpJBEuoywanmPt5ROaUVra2qL92W5E drdZpqNqn3/jtxmqMpmJ//SecDOtJ1zCh6O3ZTU6FNReth1RfwCtHnbqWD9P4luqNVjW ncGcERwUgV+MIz1iO3o2Jxejbp/EO8BgNtzgAb7r080lCKw9EvWxhFQz7naHxYUsj+me 8D+Q== X-Gm-Message-State: AOAM5311DlmIu+Up8io/lK6pqT9zhrLznySZP5ZjhwjWMIzTUfz6/pxK YKRdGJK3hNOITIYPc3iSJdnfMA== X-Google-Smtp-Source: ABdhPJxjdpi4fGSp6dC1DdNHBxwP2B+1uYeTKIK3I9eW9J02Mr4OLGpPXYeQ069+IKh3xJ//I+Tj8Q== X-Received: by 2002:a5d:4fcc:: with SMTP id h12mr43511564wrw.434.1638287428990; Tue, 30 Nov 2021 07:50:28 -0800 (PST) Received: from beni.c.googlers.com.com (216.131.76.34.bc.googleusercontent.com. [34.76.131.216]) by smtp.gmail.com with ESMTPSA id b13sm13555207wrh.32.2021.11.30.07.50.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 07:50:28 -0800 (PST) From: Ricardo Ribalda To: Laurent Pinchart , Mauro Carvalho Chehab , Hans Verkuil , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Ricardo Ribalda Subject: [PATCH 2/2] media: uvcvideo: Avoid returning invalid controls Date: Tue, 30 Nov 2021 15:50:26 +0000 Message-Id: <20211130155026.1082594-2-ribalda@chromium.org> X-Mailer: git-send-email 2.34.0.384.gca35af8252-goog In-Reply-To: <20211130155026.1082594-1-ribalda@chromium.org> References: <20211130155026.1082594-1-ribalda@chromium.org> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org If the memory where ctrl_found is places has the value of uvc_ctrl and __uvc_find_control does not find the control we will return and invalid index. Fixes: 6350d6a4ed487 ("media: uvcvideo: Set error_idx during ctrl_commit errors") Signed-off-by: Ricardo Ribalda --- drivers/media/usb/uvc/uvc_ctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index f7b7add3cfa59..f1f6bb14fb0a6 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -1639,7 +1639,7 @@ static int uvc_ctrl_find_ctrl_idx(struct uvc_entity *entity, struct uvc_control *uvc_control) { struct uvc_control_mapping *mapping = NULL; - struct uvc_control *ctrl_found; + struct uvc_control *ctrl_found = NULL; unsigned int i; if (!entity)