| Message ID | 20220517095521.6897-1-ruc_gongyuanjun@163.com (mailing list archive) |
|---|---|
| State | Rejected |
| Headers | show |
| Series | [1/1] platform/chrome: check *dest of memcpy | expand |
On Tue, May 17, 2022 at 05:55:21PM +0800, Yuanjun Gong wrote: > From: Gong Yuanjun <ruc_gongyuanjun@163.com> > > In regulator/cros-ec-regulator.c, cros_ec_cmd is sometimes called > with *indata set to NULL. > > static int cros_ec_regulator_enable(struct regulator_dev *dev){ > ... > cros_ec_cmd(data->ec_dev, 0, EC_CMD_REGULATOR_ENABLE, &cmd, > sizeof(cmd), NULL, 0) > ...} > > Don't do memcpy if indata is NULL. > > Signed-off-by: Gong Yuanjun <ruc_gongyuanjun@163.com> > --- > drivers/platform/chrome/cros_ec_proto.c | 2 +- > drivers/regulator/cros-ec-regulator.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/platform/chrome/cros_ec_proto.c b/drivers/platform/chrome/cros_ec_proto.c > index c4caf2e2de82..da175c57cff7 100644 > --- a/drivers/platform/chrome/cros_ec_proto.c > +++ b/drivers/platform/chrome/cros_ec_proto.c > @@ -938,7 +938,7 @@ int cros_ec_command(struct cros_ec_device *ec_dev, > if (ret < 0) > goto error; > > - if (insize) > + if (indata && insize) > memcpy(indata, msg->data, insize); > error: > kfree(msg); > diff --git a/drivers/regulator/cros-ec-regulator.c b/drivers/regulator/cros-ec-regulator.c > index c4754f3cf233..1c7ff085e492 100644 > --- a/drivers/regulator/cros-ec-regulator.c > +++ b/drivers/regulator/cros-ec-regulator.c > @@ -44,7 +44,7 @@ static int cros_ec_cmd(struct cros_ec_device *ec, u32 version, u32 command, > if (ret < 0) > goto cleanup; > > - if (insize) > + if (indata && insize) > memcpy(indata, msg->data, insize); > > cleanup: > -- > 2.17.1 > <formletter> This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly. </formletter>
On Tue, May 17, 2022 at 05:55:21PM +0800, Yuanjun Gong wrote: > From: Gong Yuanjun <ruc_gongyuanjun@163.com> > > In regulator/cros-ec-regulator.c, cros_ec_cmd is sometimes called > with *indata set to NULL. > > static int cros_ec_regulator_enable(struct regulator_dev *dev){ > ... > cros_ec_cmd(data->ec_dev, 0, EC_CMD_REGULATOR_ENABLE, &cmd, > sizeof(cmd), NULL, 0) > ...} > > Don't do memcpy if indata is NULL. The fix makes less sense to me. Did you find somewhere that `indata` is NULL but `insize` is not 0?
diff --git a/drivers/platform/chrome/cros_ec_proto.c b/drivers/platform/chrome/cros_ec_proto.c index c4caf2e2de82..da175c57cff7 100644 --- a/drivers/platform/chrome/cros_ec_proto.c +++ b/drivers/platform/chrome/cros_ec_proto.c @@ -938,7 +938,7 @@ int cros_ec_command(struct cros_ec_device *ec_dev, if (ret < 0) goto error; - if (insize) + if (indata && insize) memcpy(indata, msg->data, insize); error: kfree(msg); diff --git a/drivers/regulator/cros-ec-regulator.c b/drivers/regulator/cros-ec-regulator.c index c4754f3cf233..1c7ff085e492 100644 --- a/drivers/regulator/cros-ec-regulator.c +++ b/drivers/regulator/cros-ec-regulator.c @@ -44,7 +44,7 @@ static int cros_ec_cmd(struct cros_ec_device *ec, u32 version, u32 command, if (ret < 0) goto cleanup; - if (insize) + if (indata && insize) memcpy(indata, msg->data, insize); cleanup: