Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp926843ybi; Fri, 2 Aug 2019 06:36:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqxkKrqHxdfYEtkUMawaxtsMDKxtLseR/EmMAd3AO4uaeEQROWOHOLEg4pkHq8YavVk1mKmi X-Received: by 2002:a63:5a0a:: with SMTP id o10mr51914086pgb.282.1564752969497; Fri, 02 Aug 2019 06:36:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564752969; cv=none; d=google.com; s=arc-20160816; b=RLKnLYOxL3nx8JaNd57aWFkpXRjZ+jYcyJHHJjoDUyfjUoGnluBBHFrwMmKxvAR2bg Ugwhfdhhk7mGcTu5ilctvSCbVorW6o0Rg2s1p68Ku5y2jnK/quwHBDGloECgg4gPGC/4 owYv+Jm9mBcnmd4H2KNt0paxenxHtVluj5OIrN3fTU+SvVNboLFRdsusJ+wT7I5/OlqK sZuqYZZi4Du2HB5mGrhV48Qm9nkgAKnr8XRVh4oXF52rmCHW1YAtIGa9WEVWrrriPxGd klWnT41rtLCzTWpzumRBlsVlylNgQoT1Q1CNlr3yxIVYE9h0lvTWXX/1zvfypMezHcQE 4V5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=E+ZRDjLARZn9D9lGpYwln3pO4kyHCUIYBSLn55BuI0g=; b=U/LPnECQxUhS7+r8fW5DNIZMu3njckQG2s4HbkdV7oNc5xjpTCm4BC0kkeMY7oZqg2 xW08j5BQXCHv6StPeEX6NkPSC9H+cmTUC1t5TqQlTKyavHg/ENqKbTMzfhBQ2v4XGmi/ wBn+HkaxCR2nplLOihadOW0W22Jh9Gt0fG3RBPu+Ct0WlIgsJeVqqxzaZiZ/3rb0T1Wy JuCY716H1MuWSmIV7fk1uyUOEQOT9DIgY/HEGqDbZGwIZiAWH6Cj6cN017SMk5BHrTv5 ml4EPz2V+HeSM2WLj4AlYsRaARw0bJy7n5a1T1BePse7oMgwGEq37wFWU1NuLtCYOa2Q QTWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=v9vOoiHE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x184si25938788pfb.24.2019.08.02.06.35.54; Fri, 02 Aug 2019 06:36:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=v9vOoiHE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2406579AbfHBJ5Y (ORCPT + 99 others); Fri, 2 Aug 2019 05:57:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:36510 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2406875AbfHBJ5U (ORCPT ); Fri, 2 Aug 2019 05:57:20 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 89B1C2087E; Fri, 2 Aug 2019 09:57:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564739840; bh=ZjDcXP0Wz/sTUK16guHwPbb1e26Bau2spHDEwnTu/GA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=v9vOoiHEi3TUBe3RSYrdcP4Py74o/ISuHx+ryTHjkuf6u06fJVk2QFxYch35OKjel kjX2ZBMz1epWA1tN+kyKX3qEA96O4CSNGYnKMcy9BeIk4xTNQfZ1oCXd4nXdcaTqEq vr5wjgk7cwxnTf2bATHUP0k6SldpAcYGjKNoRUAc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luke Nowakowski-Krijger , Hans Verkuil , Mauro Carvalho Chehab , syzbot+a4387f5b6b799f6becbf@syzkaller.appspotmail.com Subject: [PATCH 5.2 10/20] media: radio-raremono: change devm_k*alloc to k*alloc Date: Fri, 2 Aug 2019 11:40:04 +0200 Message-Id: <20190802092100.285432717@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190802092055.131876977@linuxfoundation.org> References: <20190802092055.131876977@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Luke Nowakowski-Krijger commit c666355e60ddb4748ead3bdd983e3f7f2224aaf0 upstream. Change devm_k*alloc to k*alloc to manually allocate memory The manual allocation and freeing of memory is necessary because when the USB radio is disconnected, the memory associated with devm_k*alloc is freed. Meaning if we still have unresolved references to the radio device, then we get use-after-free errors. This patch fixes this by manually allocating memory, and freeing it in the v4l2.release callback that gets called when the last radio device exits. Reported-and-tested-by: syzbot+a4387f5b6b799f6becbf@syzkaller.appspotmail.com Signed-off-by: Luke Nowakowski-Krijger Signed-off-by: Hans Verkuil [hverkuil-cisco@xs4all.nl: cleaned up two small checkpatch.pl warnings] [hverkuil-cisco@xs4all.nl: prefix subject with driver name] Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/radio/radio-raremono.c | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) --- a/drivers/media/radio/radio-raremono.c +++ b/drivers/media/radio/radio-raremono.c @@ -271,6 +271,14 @@ static int vidioc_g_frequency(struct fil return 0; } +static void raremono_device_release(struct v4l2_device *v4l2_dev) +{ + struct raremono_device *radio = to_raremono_dev(v4l2_dev); + + kfree(radio->buffer); + kfree(radio); +} + /* File system interface */ static const struct v4l2_file_operations usb_raremono_fops = { .owner = THIS_MODULE, @@ -295,12 +303,14 @@ static int usb_raremono_probe(struct usb struct raremono_device *radio; int retval = 0; - radio = devm_kzalloc(&intf->dev, sizeof(struct raremono_device), GFP_KERNEL); - if (radio) - radio->buffer = devm_kmalloc(&intf->dev, BUFFER_LENGTH, GFP_KERNEL); - - if (!radio || !radio->buffer) + radio = kzalloc(sizeof(*radio), GFP_KERNEL); + if (!radio) + return -ENOMEM; + radio->buffer = kmalloc(BUFFER_LENGTH, GFP_KERNEL); + if (!radio->buffer) { + kfree(radio); return -ENOMEM; + } radio->usbdev = interface_to_usbdev(intf); radio->intf = intf; @@ -324,7 +334,8 @@ static int usb_raremono_probe(struct usb if (retval != 3 || (get_unaligned_be16(&radio->buffer[1]) & 0xfff) == 0x0242) { dev_info(&intf->dev, "this is not Thanko's Raremono.\n"); - return -ENODEV; + retval = -ENODEV; + goto free_mem; } dev_info(&intf->dev, "Thanko's Raremono connected: (%04X:%04X)\n", @@ -333,7 +344,7 @@ static int usb_raremono_probe(struct usb retval = v4l2_device_register(&intf->dev, &radio->v4l2_dev); if (retval < 0) { dev_err(&intf->dev, "couldn't register v4l2_device\n"); - return retval; + goto free_mem; } mutex_init(&radio->lock); @@ -345,6 +356,7 @@ static int usb_raremono_probe(struct usb radio->vdev.ioctl_ops = &usb_raremono_ioctl_ops; radio->vdev.lock = &radio->lock; radio->vdev.release = video_device_release_empty; + radio->v4l2_dev.release = raremono_device_release; usb_set_intfdata(intf, &radio->v4l2_dev); @@ -360,6 +372,10 @@ static int usb_raremono_probe(struct usb } dev_err(&intf->dev, "could not register video device\n"); v4l2_device_unregister(&radio->v4l2_dev); + +free_mem: + kfree(radio->buffer); + kfree(radio); return retval; }