Patch "media: i2c: ccs: Check rules is non-NULL" has been added to the 6.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    media: i2c: ccs: Check rules is non-NULL

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     media-i2c-ccs-check-rules-is-non-null.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 607bcc4213d998d051541d8f10b5bbb7d546c0be Mon Sep 17 00:00:00 2001
From: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>
Date: Sat, 29 Jul 2023 20:59:25 +0200
Subject: media: i2c: ccs: Check rules is non-NULL

From: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>

commit 607bcc4213d998d051541d8f10b5bbb7d546c0be upstream.

Fix the following smatch warning:

drivers/media/i2c/ccs/ccs-data.c:524 ccs_data_parse_rules() warn: address
of NULL pointer 'rules'

The CCS static data rule parser does not check an if rule has been
obtained before checking for other rule types (which depend on the if
rule). In practice this means parsing invalid CCS static data could lead
to dereferencing a NULL pointer.

Reported-by: Hans Verkuil <hverkuil@xxxxxxxxx>
Fixes: a6b396f410b1 ("media: ccs: Add CCS static data parser library")
Cc: stable@xxxxxxxxxxxxxxx # for 5.11 and up
Signed-off-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>
Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/media/i2c/ccs/ccs-data.c |  101 +++++++++++++++++++++------------------
 1 file changed, 56 insertions(+), 45 deletions(-)

--- a/drivers/media/i2c/ccs/ccs-data.c
+++ b/drivers/media/i2c/ccs/ccs-data.c
@@ -464,8 +464,7 @@ static int ccs_data_parse_rules(struct b
 		rule_payload = __rule_type + 1;
 		rule_plen2 = rule_plen - sizeof(*__rule_type);
 
-		switch (*__rule_type) {
-		case CCS_DATA_BLOCK_RULE_ID_IF: {
+		if (*__rule_type == CCS_DATA_BLOCK_RULE_ID_IF) {
 			const struct __ccs_data_block_rule_if *__if_rules =
 				rule_payload;
 			const size_t __num_if_rules =
@@ -514,49 +513,61 @@ static int ccs_data_parse_rules(struct b
 				rules->if_rules = if_rule;
 				rules->num_if_rules = __num_if_rules;
 			}
-			break;
-		}
-		case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS:
-			rval = ccs_data_parse_reg_rules(bin, &rules->read_only_regs,
-							&rules->num_read_only_regs,
-							rule_payload,
-							rule_payload + rule_plen2,
-							dev);
-			if (rval)
-				return rval;
-			break;
-		case CCS_DATA_BLOCK_RULE_ID_FFD:
-			rval = ccs_data_parse_ffd(bin, &rules->frame_format,
-						  rule_payload,
-						  rule_payload + rule_plen2,
-						  dev);
-			if (rval)
-				return rval;
-			break;
-		case CCS_DATA_BLOCK_RULE_ID_MSR:
-			rval = ccs_data_parse_reg_rules(bin,
-							&rules->manufacturer_regs,
-							&rules->num_manufacturer_regs,
-							rule_payload,
-							rule_payload + rule_plen2,
-							dev);
-			if (rval)
-				return rval;
-			break;
-		case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT:
-			rval = ccs_data_parse_pdaf_readout(bin,
-							   &rules->pdaf_readout,
-							   rule_payload,
-							   rule_payload + rule_plen2,
-							   dev);
-			if (rval)
-				return rval;
-			break;
-		default:
-			dev_dbg(dev,
-				"Don't know how to handle rule type %u!\n",
-				*__rule_type);
-			return -EINVAL;
+		} else {
+			/* Check there was an if rule before any other rules */
+			if (bin->base && !rules)
+				return -EINVAL;
+
+			switch (*__rule_type) {
+			case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS:
+				rval = ccs_data_parse_reg_rules(bin,
+								rules ?
+								&rules->read_only_regs : NULL,
+								rules ?
+								&rules->num_read_only_regs : NULL,
+								rule_payload,
+								rule_payload + rule_plen2,
+								dev);
+				if (rval)
+					return rval;
+				break;
+			case CCS_DATA_BLOCK_RULE_ID_FFD:
+				rval = ccs_data_parse_ffd(bin, rules ?
+							  &rules->frame_format : NULL,
+							  rule_payload,
+							  rule_payload + rule_plen2,
+							  dev);
+				if (rval)
+					return rval;
+				break;
+			case CCS_DATA_BLOCK_RULE_ID_MSR:
+				rval = ccs_data_parse_reg_rules(bin,
+								rules ?
+								&rules->manufacturer_regs : NULL,
+								rules ?
+								&rules->num_manufacturer_regs : NULL,
+								rule_payload,
+								rule_payload + rule_plen2,
+								dev);
+				if (rval)
+					return rval;
+				break;
+			case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT:
+				rval = ccs_data_parse_pdaf_readout(bin,
+								   rules ?
+								   &rules->pdaf_readout : NULL,
+								   rule_payload,
+								   rule_payload + rule_plen2,
+								   dev);
+				if (rval)
+					return rval;
+				break;
+			default:
+				dev_dbg(dev,
+					"Don't know how to handle rule type %u!\n",
+					*__rule_type);
+				return -EINVAL;
+			}
 		}
 		__next_rule = __next_rule + rule_hlen + rule_plen;
 	}


Patches currently in stable-queue which might be from sakari.ailus@xxxxxxxxxxxxxxx are

queue-6.4/media-ov5640-fix-initial-resetb-state-and-annotate-t.patch
queue-6.4/media-ov2680-fix-vflip-hflip-set-functions.patch
queue-6.4/media-ipu-bridge-fix-null-pointer-deref-on-ssdb-pld-.patch
queue-6.4/media-ov2680-remove-auto-gain-and-auto-exposure-cont.patch
queue-6.4/media-ov2680-add-ov2680_fill_format-helper-function.patch
queue-6.4/media-documentation-fix-gs-_routing-documentation.patch
queue-6.4/media-v4l2-core-fix-a-potential-resource-leak-in-v4l.patch
queue-6.4/media-i2c-add-a-camera-sensor-top-level-menu.patch
queue-6.4/media-ov2680-fix-ov2680_bayer_order.patch
queue-6.4/media-ipu-bridge-do-not-use-on-stack-memory-for-soft.patch
queue-6.4/media-ad5820-drop-unsupported-ad5823-from-i2c_-and-o.patch
queue-6.4/media-ov5640-fix-low-resolution-image-abnormal-issue.patch
queue-6.4/media-ov2680-fix-ov2680_set_fmt-which-v4l2_subdev_fo.patch
queue-6.4/media-i2c-imx290-drop-format-param-from-imx290_ctrl_.patch
queue-6.4/media-ov5640-enable-mipi-interface-in-ov5640_set_pow.patch
queue-6.4/media-ipu3-cio2-rename-cio2-bridge-to-ipu-bridge-and.patch
queue-6.4/media-i2c-ccs-check-rules-is-non-null.patch
queue-6.4/media-ov2680-don-t-take-the-lock-for-try_fmt-calls.patch
queue-6.4/media-i2c-tvp5150-check-return-value-of-devm_kasprin.patch
queue-6.4/media-ov2680-fix-regulators-being-left-enabled-on-ov.patch
queue-6.4/media-ov2680-remove-video_v4l2_subdev_api-ifdef-s.patch



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux