Re: [PATCH] usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c

[Michael Grzeschik <mgr@xxxxxxxxxxxxxx>]

Hi Laurent,

On Fri, Aug 02, 2024 at 09:18:41PM +0300, Laurent Pinchart wrote:
> Hi Abhishek,
>
> (CC'ing Michael Grzeschik)
>
> Thank you for the patch.
>
> On Fri, Aug 02, 2024 at 11:32:47PM +0530, Abhishek Tamboli wrote:
> > Fix potential dereferencing of ERR_PTR() in find_format_by_pix()
> > and uvc_v4l2_enum_format().
> >
> > Fix the following smatch errors:
> >
> > drivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix()
> > error: 'fmtdesc' dereferencing possible ERR_PTR()
> > drivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format()
> > error: 'fmtdesc' dereferencing possible ERR_PTR()
> >
> > Signed-off-by: Abhishek Tamboli <abhishektamboli9@xxxxxxxxx>
> > ---
> >  drivers/usb/gadget/function/uvc_v4l2.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
> > index a024aecb76dc..9dd602a742c4 100644
> > --- a/drivers/usb/gadget/function/uvc_v4l2.c
> > +++ b/drivers/usb/gadget/function/uvc_v4l2.c
> > @@ -121,6 +121,9 @@ static struct uvcg_format *find_format_by_pix(struct uvc_device *uvc,
> >  	list_for_each_entry(format, &uvc->header->formats, entry) {
> >  		const struct uvc_format_desc *fmtdesc = to_uvc_format(format->fmt);
> >
> > +		if (IS_ERR(fmtdesc))
> > +			continue;
> > +
> >  		if (fmtdesc->fcc == pixelformat) {
> >  			uformat = format->fmt;
> >  			break;
> > @@ -389,6 +392,9 @@ uvc_v4l2_enum_format(struct file *file, void *fh, struct v4l2_fmtdesc *f)
> >  		return -EINVAL;
> >
> >  	fmtdesc = to_uvc_format(uformat);
> > +	if (IS_ERR(fmtdesc))
> > +		return -EINVAL;
> > +
> >  	f->pixelformat = fmtdesc->fcc;
> >
> >  	return 0;
>
> Michael, you authored this, I'll let you review the patch and decide if
> this is a false positive.

Since the following patch was applied,

https://lore.kernel.org/all/20240221-uvc-gadget-configfs-guid-v1-1-f0678ca62ebb@xxxxxxxxxxxxxx/

the issue is technically impossible to happen.

However the patch I mentioned was only applied recently and in all older
kernels someone could add a format into configfs that is not part of
uvc_format_desc from drivers/media/common/uvc.c and therefor can run
into the issue.

As this will also not hurt the current kernel I would like the patch
to be applied with the Tag:

Fixes: 588b9e8560 (usb: gadget: uvc: add v4l2 enumeration api calls)

Thanks,
Michael

--
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Attachment: signature.asc
Description: PGP signature