Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2660996pxa; Mon, 17 Aug 2020 15:50:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwPcw2jmakz3OOEYqipkIDpbfaPmcK5y0XAgSkje3VRV6wwfnjw42lgEOQ1W8IpXdqPpG5t X-Received: by 2002:a17:906:82ca:: with SMTP id a10mr17023744ejy.524.1597704623262; Mon, 17 Aug 2020 15:50:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597704623; cv=none; d=google.com; s=arc-20160816; b=vmI592tUw4ssordcr/kvRLEWnJvxSbCIHt/xT4cgxZA87P2EkFC7ZV42ULAZzH0hFr G4Z+q1IneUtF2EbGptfkkEQn5emvYLKR/ODE3jY2gOtfO+qPxmORmG4UYBF2d5gv7rWa YK8YouhKcas7AcWq04uLIqj7izI8dUxrn+dC5YnnYllouNoibCSC2VCbIlMWL2YDYNZ/ X363B95rhKH2Q6iQ/m4QnGZXUUxoldtzxNENitMCLR8fenUtdX0QGJVk1jgIXwGFVwGT Qj1jSHmLf/ym71ZrSfqn6UcB0pcn9EuQORl+UTYl5/Dw2aMHeFlBMYg2j9R6Cts8phMS nKHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Mgc9ucDx6SDxo85HPN6rp+diwHN927a73qLZeplM1QU=; b=Pcm0Ewu9y9XFmqMVXLMICrM5VgUS4vO/aoFj4WOoQghsFujGH0Wlm054CwAsN+yUDf vNjpcJ8I33nClHgFkGkiIv5heosa50GkEPnG92NNgeeCf8WQY2kBiBeh+Spj/ft7bntw 3w19Ywe7TN6He3eFAAi2Y8S/5b5aiVwVzz85gVaXDWDBMiquLZxyEYXaBEEGId+lvfk+ PiKkwzvsdPi+hrmMoTKIUJF8nzyIaePXcsXIeian6yaqosyrsgdf94zAUnnVEUQf5fUG pTj6Bap0nqGWoWkj+0M5b3OdL9eQ4QukxnwM4Sq9VFwr/0Ial+lJubsd+oSKO4Ty+gWw Tkzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="eChT69/B"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b15si12292648edf.19.2020.08.17.15.50.00; Mon, 17 Aug 2020 15:50:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="eChT69/B"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387474AbgHQTPy (ORCPT + 99 others); Mon, 17 Aug 2020 15:15:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:48368 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387456AbgHQPjo (ORCPT ); Mon, 17 Aug 2020 11:39:44 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4ACCC23123; Mon, 17 Aug 2020 15:39:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597678783; bh=fW0PLUaemraPxR56ZlLLDoiTZLlCiLqb4+qpdqoPWUg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eChT69/B5mNbtmnDhFCzUyCa8xLzZJ4XN+fztJLrsGgSugKwA6Q1mJ2jYwPlfTy65 Zkez+nBXN0q0aRxiE5LkWjpo7GZgWviedipK079RsXeqF7LULC5cyURZXRY2/iWPjK r+5ckWW7KZqBWZMw8XzTRQ4PR0i9rvG/uYpjS/fU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com, Tuomas Tynkkynen , Hans Verkuil , Sakari Ailus , Mauro Carvalho Chehab Subject: [PATCH 5.8 422/464] media: media-request: Fix crash if memory allocation fails Date: Mon, 17 Aug 2020 17:16:15 +0200 Message-Id: <20200817143853.988809228@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200817143833.737102804@linuxfoundation.org> References: <20200817143833.737102804@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tuomas Tynkkynen commit e30cc79cc80fd919b697a15c5000d9f57487de8e upstream. Syzbot reports a NULL-ptr deref in the kref_put() call: BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline] kref_put include/linux/kref.h:64 [inline] media_request_put drivers/media/mc/mc-request.c:81 [inline] media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89 __fput+0x2ed/0x750 fs/file_table.c:281 task_work_run+0x147/0x1d0 kernel/task_work.c:123 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:165 [inline] prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196 What led to this crash was an injected memory allocation failure in media_request_alloc(): FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 should_failslab+0x5/0x20 kmem_cache_alloc_trace+0x57/0x300 ? anon_inode_getfile+0xe5/0x170 media_request_alloc+0x339/0x440 media_device_request_alloc+0x94/0xc0 media_device_ioctl+0x1fb/0x330 ? do_vfs_ioctl+0x6ea/0x1a00 ? media_ioctl+0x101/0x120 ? __media_device_usb_init+0x430/0x430 ? media_poll+0x110/0x110 __se_sys_ioctl+0xf9/0x160 do_syscall_64+0xf3/0x1b0 When that allocation fails, filp->private_data is left uninitialized which media_request_close() does not expect and crashes. To avoid this, reorder media_request_alloc() such that allocating the struct file happens as the last step thus media_request_close() will no longer get called for a partially created media request. Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Tuomas Tynkkynen Fixes: 10905d70d788 ("media: media-request: implement media requests") Reviewed-by: Hans Verkuil Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/mc/mc-request.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) --- a/drivers/media/mc/mc-request.c +++ b/drivers/media/mc/mc-request.c @@ -296,9 +296,18 @@ int media_request_alloc(struct media_dev if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free)) return -ENOMEM; + if (mdev->ops->req_alloc) + req = mdev->ops->req_alloc(mdev); + else + req = kzalloc(sizeof(*req), GFP_KERNEL); + if (!req) + return -ENOMEM; + fd = get_unused_fd_flags(O_CLOEXEC); - if (fd < 0) - return fd; + if (fd < 0) { + ret = fd; + goto err_free_req; + } filp = anon_inode_getfile("request", &request_fops, NULL, O_CLOEXEC); if (IS_ERR(filp)) { @@ -306,15 +315,6 @@ int media_request_alloc(struct media_dev goto err_put_fd; } - if (mdev->ops->req_alloc) - req = mdev->ops->req_alloc(mdev); - else - req = kzalloc(sizeof(*req), GFP_KERNEL); - if (!req) { - ret = -ENOMEM; - goto err_fput; - } - filp->private_data = req; req->mdev = mdev; req->state = MEDIA_REQUEST_STATE_IDLE; @@ -336,12 +336,15 @@ int media_request_alloc(struct media_dev return 0; -err_fput: - fput(filp); - err_put_fd: put_unused_fd(fd); +err_free_req: + if (mdev->ops->req_free) + mdev->ops->req_free(req); + else + kfree(req); + return ret; }