From nobody Wed Feb 11 19:43:59 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0326EC7EE26
	for <linux-kernel@archiver.kernel.org>; Thu,  4 May 2023 14:03:07 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231209AbjEDODF (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Thu, 4 May 2023 10:03:05 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48950 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229845AbjEDODD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 4 May 2023 10:03:03 -0400
Received: from hust.edu.cn (unknown [202.114.0.240])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AEDBE46BB
        for <linux-kernel@vger.kernel.org>;
 Thu,  4 May 2023 07:03:02 -0700 (PDT)
Received: from localhost.localdomain ([172.16.0.254])
        (user=dzm91@hust.edu.cn mech=LOGIN bits=0)
        by mx1.hust.edu.cn  with ESMTP id 344E1fZO011334-344E1fZR011334
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
 verify=NO);
        Thu, 4 May 2023 22:01:46 +0800
From: Dongliang Mu <dzm91@hust.edu.cn>
To: Johan Hovold <johan@kernel.org>, Alex Elder <elder@kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jacopo Mondi <jacopo.mondi@linaro.org>,
        Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Dongliang Mu <dzm91@hust.edu.cn>,
        Greg Kroah-Hartman <gregkh@google.com>,
        greybus-dev@lists.linaro.org, linux-staging@lists.linux.dev,
        linux-kernel@vger.kernel.org
Subject: [PATCH] drivers: staging: greybus: fix GPF issue in gb_camera_capture
Date: Thu,  4 May 2023 21:58:41 +0800
Message-Id: <20230504135841.1566958-1-dzm91@hust.edu.cn>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-FEAS-AUTH-USER: dzm91@hust.edu.cn
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

In gb_camera_capture(), it does not check the value of settings
before dereferencing it. And gb_camera_debugfs_capture calls
gb_camera_capture with the 6th parameter settings as NULL.

Fix this by checking the value of setting at the starting of
gb_camera_capture.

Fixes: 3265edaf0d70 ("greybus: Add driver for the camera class protocol")
Signed-off-by: Dongliang Mu <dzm91@hust.edu.cn>
---
 drivers/staging/greybus/camera.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/greybus/camera.c b/drivers/staging/greybus/cam=
era.c
index cdbb42cd413b..5a4b26e7f645 100644
--- a/drivers/staging/greybus/camera.c
+++ b/drivers/staging/greybus/camera.c
@@ -659,7 +659,7 @@ static int gb_camera_capture(struct gb_camera *gcam, u3=
2 request_id,
 	size_t req_size;
 	int ret;
=20
-	if (settings_size > GB_CAMERA_MAX_SETTINGS_SIZE)
+	if (settings_size > GB_CAMERA_MAX_SETTINGS_SIZE || !settings)
 		return -EINVAL;
=20
 	req_size =3D sizeof(*req) + settings_size;
--=20
2.39.2