Hi Jerry, Thank you for the patch. On Fri, Sep 15, 2023 at 09:12:14AM -0700, Jerry Liu wrote: > If the request length of UVC XU is 1 (even though this is illegal), due > to 'data' may be the non-zero value, UVC_GET_LEN could potentially result > in a length that is not 1 because of the high byte is not zero. In order > to ensure that 2-byte data array is set to 0, 'kmalloc' is modified to 'kzalloc'. I don't think this can happen. The call to uvc_query_ctrl(UVC_GET_LEN) is given a length of 2. If the device responds with less than two bytes, the function will return an error, and uvc_ctrl_fill_xu_info() will propagate the error to the caller, without accessing the data array. > > Signed-off-by: Jerry Liu <jerry.liu@xxxxxxxxxxxxxx> > --- > drivers/media/usb/uvc/uvc_ctrl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c > index 5e9d3da862dd..054bc14f7a58 100644 > --- a/drivers/media/usb/uvc/uvc_ctrl.c > +++ b/drivers/media/usb/uvc/uvc_ctrl.c > @@ -2088,7 +2088,7 @@ static int uvc_ctrl_fill_xu_info(struct uvc_device *dev, > u8 *data; > int ret; > > - data = kmalloc(2, GFP_KERNEL); > + data = kzalloc(2, GFP_KERNEL); > if (data == NULL) > return -ENOMEM; > -- Regards, Laurent Pinchart
