* [PATCH AUTOSEL 4.9 27/68] media: pxa_camera: Fix check for pdev->dev.of_node
[not found] <20191113015932.12655-1-sashal@kernel.org>
@ 2019-11-13 1:58 ` Sasha Levin
2019-11-13 1:59 ` [PATCH AUTOSEL 4.9 55/68] media: isif: fix a NULL pointer dereference bug Sasha Levin
2019-11-13 1:59 ` [PATCH AUTOSEL 4.9 57/68] media: cx231xx: fix potential sign-extension overflow on large shift Sasha Levin
2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2019-11-13 1:58 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Nathan Chancellor, Nick Desaulniers, Hans Verkuil,
Mauro Carvalho Chehab, Sasha Levin, linux-media,
clang-built-linux
From: Nathan Chancellor <natechancellor@gmail.com>
[ Upstream commit 44d7f1a77d8c84f8e42789b5475b74ae0e6d4758 ]
Clang warns that the address of a pointer will always evaluated as true
in a boolean context.
drivers/media/platform/pxa_camera.c:2400:17: warning: address of
'pdev->dev.of_node' will always evaluate to 'true'
[-Wpointer-bool-conversion]
if (&pdev->dev.of_node && !pcdev->pdata) {
~~~~~~~~~~^~~~~~~ ~~
1 warning generated.
Judging from the rest of the kernel, it seems like this was an error and
just the value of of_node should be checked rather than the address.
Reported-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/pxa_camera.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/pxa_camera.c b/drivers/media/platform/pxa_camera.c
index 390d708c807a0..3fab9f776afa7 100644
--- a/drivers/media/platform/pxa_camera.c
+++ b/drivers/media/platform/pxa_camera.c
@@ -2334,7 +2334,7 @@ static int pxa_camera_probe(struct platform_device *pdev)
pcdev->res = res;
pcdev->pdata = pdev->dev.platform_data;
- if (&pdev->dev.of_node && !pcdev->pdata) {
+ if (pdev->dev.of_node && !pcdev->pdata) {
err = pxa_camera_pdata_from_dt(&pdev->dev, pcdev, &pcdev->asd);
} else {
pcdev->platform_flags = pcdev->pdata->flags;
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH AUTOSEL 4.9 55/68] media: isif: fix a NULL pointer dereference bug
[not found] <20191113015932.12655-1-sashal@kernel.org>
2019-11-13 1:58 ` [PATCH AUTOSEL 4.9 27/68] media: pxa_camera: Fix check for pdev->dev.of_node Sasha Levin
@ 2019-11-13 1:59 ` Sasha Levin
2019-11-13 1:59 ` [PATCH AUTOSEL 4.9 57/68] media: cx231xx: fix potential sign-extension overflow on large shift Sasha Levin
2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2019-11-13 1:59 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Wenwen Wang, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin,
linux-media
From: Wenwen Wang <wang6495@umn.edu>
[ Upstream commit a26ac6c1bed951b2066cc4b2257facd919e35c0b ]
In isif_probe(), there is a while loop to get the ISIF base address and
linearization table0 and table1 address. In the loop body, the function
platform_get_resource() is called to get the resource. If
platform_get_resource() returns NULL, the loop is terminated and the
execution goes to 'fail_nobase_res'. Suppose the loop is terminated at the
first iteration because platform_get_resource() returns NULL and the
execution goes to 'fail_nobase_res'. Given that there is another while loop
at 'fail_nobase_res' and i equals to 0, one iteration of the second while
loop will be executed. However, the second while loop does not check the
return value of platform_get_resource(). This can cause a NULL pointer
dereference bug if the return value is a NULL pointer.
This patch avoids the above issue by adding a check in the second while
loop after the call to platform_get_resource().
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/davinci/isif.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/davinci/isif.c b/drivers/media/platform/davinci/isif.c
index 99faea2e84c6b..78e37cf3470f2 100644
--- a/drivers/media/platform/davinci/isif.c
+++ b/drivers/media/platform/davinci/isif.c
@@ -1106,7 +1106,8 @@ static int isif_probe(struct platform_device *pdev)
while (i >= 0) {
res = platform_get_resource(pdev, IORESOURCE_MEM, i);
- release_mem_region(res->start, resource_size(res));
+ if (res)
+ release_mem_region(res->start, resource_size(res));
i--;
}
vpfe_unregister_ccdc_device(&isif_hw_dev);
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH AUTOSEL 4.9 57/68] media: cx231xx: fix potential sign-extension overflow on large shift
[not found] <20191113015932.12655-1-sashal@kernel.org>
2019-11-13 1:58 ` [PATCH AUTOSEL 4.9 27/68] media: pxa_camera: Fix check for pdev->dev.of_node Sasha Levin
2019-11-13 1:59 ` [PATCH AUTOSEL 4.9 55/68] media: isif: fix a NULL pointer dereference bug Sasha Levin
@ 2019-11-13 1:59 ` Sasha Levin
2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2019-11-13 1:59 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Colin Ian King, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin,
linux-media
From: Colin Ian King <colin.king@canonical.com>
[ Upstream commit 32ae592036d7aeaabcccb2b1715373a68639a768 ]
Shifting the u8 value[3] by an int can lead to sign-extension
overflow. For example, if value[3] is 0xff and the shift is 24 then it
is promoted to int and then the top bit is sign-extended so that all
upper 32 bits are set. Fix this by casting value[3] to a u32 before
the shift.
Detected by CoverityScan, CID#1016522 ("Unintended sign extension")
Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/cx231xx/cx231xx-video.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/usb/cx231xx/cx231xx-video.c b/drivers/media/usb/cx231xx/cx231xx-video.c
index 6414188ffdfac..cd973e780da93 100644
--- a/drivers/media/usb/cx231xx/cx231xx-video.c
+++ b/drivers/media/usb/cx231xx/cx231xx-video.c
@@ -1389,7 +1389,7 @@ int cx231xx_g_register(struct file *file, void *priv,
ret = cx231xx_read_ctrl_reg(dev, VRT_GET_REGISTER,
(u16)reg->reg, value, 4);
reg->val = value[0] | value[1] << 8 |
- value[2] << 16 | value[3] << 24;
+ value[2] << 16 | (u32)value[3] << 24;
reg->size = 4;
break;
case 1: /* AFE - read byte */
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-11-13 2:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20191113015932.12655-1-sashal@kernel.org>
2019-11-13 1:58 ` [PATCH AUTOSEL 4.9 27/68] media: pxa_camera: Fix check for pdev->dev.of_node Sasha Levin
2019-11-13 1:59 ` [PATCH AUTOSEL 4.9 55/68] media: isif: fix a NULL pointer dereference bug Sasha Levin
2019-11-13 1:59 ` [PATCH AUTOSEL 4.9 57/68] media: cx231xx: fix potential sign-extension overflow on large shift Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).