Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1278678ybi; Fri, 21 Jun 2019 18:05:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqzjCRmvaflhMNimmqqvzFOn0bDEXihL/V0YVmvI1WSEP8leejRRACiUcy2RJj9ji0P/98Pu X-Received: by 2002:a17:90a:7787:: with SMTP id v7mr10148059pjk.143.1561165514342; Fri, 21 Jun 2019 18:05:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561165514; cv=none; d=google.com; s=arc-20160816; b=wucN/sydgnxuAxUoZhDA9oxqiB2yWMPqHh/Ajb+JF8os0Vre3V3p/TaGHJjawxfifR DxnLGkZhhH6y59K23/gm9T4uwAFYT+jIgeQRcV72GonpugZbDs555u56AX6Gf7Kiv0nK +r95+REfZefph1nJF6IIn1X8N6IJhlA/pZv9wjLdJPmfaMNtbfmNeXDZ3K/sGcNpstya QOlgarOGdbF6NhZWFwBhZbFA+UnJ5dK2pMRSRIohWr75VGwW9qv7ItGTDaWBolzYpuvL ni6QbR+TaFXfem+uVkMtFYsn9Ldo6lFk+XBo5jymTkgFPTlPng4nTHL8j4fmINvlHN8E QeJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date:dkim-signature; bh=GfizAMGSCO2YDH0saSeDriLC3WuBj3aonCixX8hvm+M=; b=h1itLmXixqWojYOb3O9PV/pUKwGg65a+ysqFeenINR/RjndOKQ42GdNCk+L57WJ0R6 Kiq3KLQVfTufW92KFZlO76dJICSpEnVmmh+3RPJYMeb1bqCLMawh8vPe5upfLOj3x/mp 3gMGz2WQm+QwOkdSlQK9eot82ObY34f/tsKoJv0hmLvaEHIn7MZOiFMoTZwNXzygigtB sbjr6UzpQ7voeVsFJ4UPmyV03j/u2B+UHMCNL9FfTiCO3mbCoIbynfAz3JOebb80SOnG Tw+K8Gy0+7UJ9cj3n/UBt5qkim7e/mraC1zh0yKKsqza4HKrgSQUH2Epcs+js+tuDnQB fSdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@eng.ucsd.edu header.s=google header.b=WjE0UV2z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ucsd.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g16si4047324pfi.31.2019.06.21.18.04.58; Fri, 21 Jun 2019 18:05:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@eng.ucsd.edu header.s=google header.b=WjE0UV2z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ucsd.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726374AbfFVBEm (ORCPT + 99 others); Fri, 21 Jun 2019 21:04:42 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:38928 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726137AbfFVBEm (ORCPT ); Fri, 21 Jun 2019 21:04:42 -0400 Received: by mail-pg1-f194.google.com with SMTP id 196so4143152pgc.6 for ; Fri, 21 Jun 2019 18:04:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eng.ucsd.edu; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=GfizAMGSCO2YDH0saSeDriLC3WuBj3aonCixX8hvm+M=; b=WjE0UV2zFRzt+OwF5oLL6YtpYoOZvtc1PCDVPa6t6K+AwAxebcFBGTwvu0jFojzJFt uXMdlRxqk9OEjOWC1GmwYKunk9GjEt8hWVgDfbX5ZAb7dZXYzsBdG1NfPuhMBBGpZ1IR Qd3j8PePYowCqtIwRkeDXdIRU2kh/BX10Ya7o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=GfizAMGSCO2YDH0saSeDriLC3WuBj3aonCixX8hvm+M=; b=WfUC+gtSSOwCOkGK9eTtQ1I0nIO+w5TU8vjogBOnEw8RH+LqQ4pQRF73LMSkPnNEVG wmorncua1pPbiIiMhEiZhnGp2jje/eYwT5KYTVlEEkyPJ4TUis1SzPQJJpc2LOSjhepS yGm1Z20lKbx0c0RxvbYTctdekVRHK+AkqXvTL96fNlSBqoJ6R8En1qfZSxGRWIMwelqi B5AWUxekQEe1kTzPEYyWmiMQJh55HFv6+COxU8IC4q6qh4+XzFPBWaOA7m7wi1hDf30r rZ3sJBO4bsTF8RPk7Vy6dxpb+m7aA+fgdlJaWwoL06fagrE/R7MfMxB5nMt3kElyQXta SiXQ== X-Gm-Message-State: APjAAAWmywBCaxeAg/Ovam1D9exlmVSx9wfWatPg2HVtUDWllWv8bZrL ROFOj7PB3zFDeQW41BDjxslerg== X-Received: by 2002:a63:db05:: with SMTP id e5mr21195210pgg.121.1561165481427; Fri, 21 Jun 2019 18:04:41 -0700 (PDT) Received: from luke-XPS-13 (cpe-66-75-255-136.san.res.rr.com. [66.75.255.136]) by smtp.gmail.com with ESMTPSA id s24sm3814436pfh.133.2019.06.21.18.04.39 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 21 Jun 2019 18:04:40 -0700 (PDT) Date: Fri, 21 Jun 2019 18:04:38 -0700 From: Luke Nowakowski-Krijger To: hverkuil@xs4all.nl Cc: mchehab@kernel.org, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org Subject: [Linux-kernel-mentees] [PATCH v4 RESEND] Media: Radio: Change devm_k*alloc to k*alloc Message-ID: <20190622010438.GA10125@luke-XPS-13> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Change devm_k*alloc to k*alloc to manually allocate memory The manual allocation and freeing of memory is necessary because when the USB radio is disconnected, the memory associated with devm_k*alloc is freed. Meaning if we still have unresolved references to the radio device, then we get use-after-free errors. This patch fixes this by manually allocating memory, and freeing it in the v4l2.release callback that gets called when the last radio device exits. Reported-and-tested-by: syzbot+a4387f5b6b799f6becbf@syzkaller.appspotmail.com Signed-off-by: Luke Nowakowski-Krijger --- Changes in RESEND: + Added reported-and-tested-by tag + Further updated description - Removed whitespace in patch description Changes in v4: - Removed whitespace to fix checkpatch.pl errors Changes in v3: + Update release method in v2 for v4l2.release callback + Assign v4l2.release callback to release method - Remove vdev.release callback used in v2 Changes in v2: + Create raremono_device_release method + Assign vdev.release to release method + Added gotos for better memory cleanup - Removed incorrect kfrees in usb_release in v1 Changes in v1: + Added k*allocs to raremono_device struct, and buffs + Added kfrees on error conditions in usb_probe + Added kfrees in usb_release - Removed devm_k*allocs drivers/media/radio/radio-raremono.c | 31 +++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/drivers/media/radio/radio-raremono.c b/drivers/media/radio/radio-raremono.c index 5e782b3c2fa9..a5b12372eccb 100644 --- a/drivers/media/radio/radio-raremono.c +++ b/drivers/media/radio/radio-raremono.c @@ -271,6 +271,15 @@ static int vidioc_g_frequency(struct file *file, void *priv, return 0; } +static void raremono_device_release(struct v4l2_device *v4l2_dev) +{ + struct raremono_device *radio = to_raremono_dev(v4l2_dev); + + kfree(radio->buffer); + kfree(radio); +} + + /* File system interface */ static const struct v4l2_file_operations usb_raremono_fops = { .owner = THIS_MODULE, @@ -295,12 +304,14 @@ static int usb_raremono_probe(struct usb_interface *intf, struct raremono_device *radio; int retval = 0; - radio = devm_kzalloc(&intf->dev, sizeof(struct raremono_device), GFP_KERNEL); - if (radio) - radio->buffer = devm_kmalloc(&intf->dev, BUFFER_LENGTH, GFP_KERNEL); - - if (!radio || !radio->buffer) + radio = kzalloc(sizeof(struct raremono_device), GFP_KERNEL); + if (!radio) + return -ENOMEM; + radio->buffer = kmalloc(BUFFER_LENGTH, GFP_KERNEL); + if (!radio->buffer) { + kfree(radio); return -ENOMEM; + } radio->usbdev = interface_to_usbdev(intf); radio->intf = intf; @@ -324,7 +335,8 @@ static int usb_raremono_probe(struct usb_interface *intf, if (retval != 3 || (get_unaligned_be16(&radio->buffer[1]) & 0xfff) == 0x0242) { dev_info(&intf->dev, "this is not Thanko's Raremono.\n"); - return -ENODEV; + retval = -ENODEV; + goto free_mem; } dev_info(&intf->dev, "Thanko's Raremono connected: (%04X:%04X)\n", @@ -333,7 +345,7 @@ static int usb_raremono_probe(struct usb_interface *intf, retval = v4l2_device_register(&intf->dev, &radio->v4l2_dev); if (retval < 0) { dev_err(&intf->dev, "couldn't register v4l2_device\n"); - return retval; + goto free_mem; } mutex_init(&radio->lock); @@ -345,6 +357,7 @@ static int usb_raremono_probe(struct usb_interface *intf, radio->vdev.ioctl_ops = &usb_raremono_ioctl_ops; radio->vdev.lock = &radio->lock; radio->vdev.release = video_device_release_empty; + radio->v4l2_dev.release = raremono_device_release; usb_set_intfdata(intf, &radio->v4l2_dev); @@ -360,6 +373,10 @@ static int usb_raremono_probe(struct usb_interface *intf, } dev_err(&intf->dev, "could not register video device\n"); v4l2_device_unregister(&radio->v4l2_dev); + +free_mem: + kfree(radio->buffer); + kfree(radio); return retval; } -- 2.20.1