From: Rui Miguel Silva rmfrfs@gmail.com
mainline inclusion from mainline-v6.10-rc1 commit a1ba19a1ae7cd1e324685ded4ab563e78fe68648 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA7D18 CVE: CVE-2024-38637
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
If channel for the given node is not found we return null from get_channel_from_mode. Make sure we validate the return pointer before using it in two of the missing places.
This was originally reported in [0]: Found by Linux Verification Center (linuxtesting.org) with SVACE.
[0] https://lore.kernel.org/all/20240301190425.120605-1-m.lobanov@rosalinux.ru
Fixes: 2870b52bae4c ("greybus: lights: add lights implementation") Reported-by: Mikhail Lobanov m.lobanov@rosalinux.ru Suggested-by: Mikhail Lobanov m.lobanov@rosalinux.ru Suggested-by: Alex Elder elder@ieee.org Signed-off-by: Rui Miguel Silva rmfrfs@gmail.com Link: https://lore.kernel.org/r/20240325221549.2185265-1-rmfrfs@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: dengquan dengquan9@huawei.com --- drivers/staging/greybus/light.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/greybus/light.c b/drivers/staging/greybus/light.c index d2672b65c3f4..4fa97ae08408 100644 --- a/drivers/staging/greybus/light.c +++ b/drivers/staging/greybus/light.c @@ -147,6 +147,9 @@ static int __gb_lights_flash_brightness_set(struct gb_channel *channel) channel = get_channel_from_mode(channel->light, GB_CHANNEL_MODE_TORCH);
+ if (!channel) + return -EINVAL; + /* For not flash we need to convert brightness to intensity */ intensity = channel->intensity_uA.min + (channel->intensity_uA.step * channel->led->brightness); @@ -550,7 +553,10 @@ static int gb_lights_light_v4l2_register(struct gb_light *light) }
channel_flash = get_channel_from_mode(light, GB_CHANNEL_MODE_FLASH); - WARN_ON(!channel_flash); + if (!channel_flash) { + dev_err(dev, "failed to get flash channel from mode\n"); + return -EINVAL; + }
fled = &channel_flash->fled;