Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3455784pxu; Sun, 20 Dec 2020 03:38:19 -0800 (PST) X-Google-Smtp-Source: ABdhPJxkMUj+0rK64AbcY41othhV4D6cGdjsfRB6Vq1V4vmqcczj8HFRIr0CqfOgyYfc/wsjeQG2 X-Received: by 2002:a17:906:b56:: with SMTP id v22mr11392062ejg.145.1608464299115; Sun, 20 Dec 2020 03:38:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608464299; cv=none; d=google.com; s=arc-20160816; b=RC6yRuBy3oUqUn6xCwizeN3hbppnA5qFL1ofAgSoZlY6Edmw6osPcC3DtQXsmEE3Ra XKL3gV/qiFW1XEO6a4cjbx62in5Ne2QCemxq20j8Cp1qle0buY7Wjkbul4sybXlOzMhs /tzdH4G9aUyktICy84Ge/jtX9YCvoDsYuxKA4k17fONWS2Nk+E6KczxB6IBdJxIbgxLT jDLtHWCI2jGW3044MjsxOaBlI1w9nBFPJX76wRAmbHSzm9m0AQ1dfFrVYnDr6GaY7hz8 3Gk6JGBWBpbPqmVsHl6tWiEDoakmhUrNHVsS4jd6EWqUQQR+ZUUrdeH9yosJPKzMG1I6 ADSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=PCnXGNYBRZlyxyl07tfi5IyPh6d7KtmGaICVIHjI56s=; b=huqZE95qJ6l8Hui93FBM2UqII1pbltNSlm9yecr8EKEL6hCTRPWwwW2NOg98yZheQt RvNY4wpObJBy6eo//8sMtzP6SVP0YdeFCY1wsdNrtncvnXW+mI2SenV9Fao9Aw8s6Lso vQqKeDkiyb0ypV8FleHyu0Gk8OBSch53eGYPfHoz8wvjbFxjZnWyWjt96yj6WTEztVrD oYYSm876nafR4XOmBzh7M5/w84U+8yadvi97OMZbUeBZfJFV2isyWH6Sy7EB4w1AK8iG 69B1Mq/I1w2O6pSPP9ISdCDr+xSGsX65dzeDtNlmqa4jIht6qdhXYyFmeRXxTvNdJsoZ I5MA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cBlmCFcA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u3si8760424edy.299.2020.12.20.03.37.56; Sun, 20 Dec 2020 03:38:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=cBlmCFcA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727364AbgLTLhV (ORCPT + 99 others); Sun, 20 Dec 2020 06:37:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:42626 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727120AbgLTLhU (ORCPT ); Sun, 20 Dec 2020 06:37:20 -0500 X-Gm-Message-State: AOAM531cS4pL7B+Y7xIYEIiMEbP1bqHaupqQF2+30V8EFMUPRvQsIRBb JZe71yiVP6g248IeGycDsa/5NyYznLHwpfzm94E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1608464200; bh=nKz7HqIQdf6MYcrqYLwcQ/mev6+3vH5Cp9thnoTcihY=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=cBlmCFcA9T6oyZ+6fTE+/gRz92K53w5qFPiomHC0ybUFQnZEg8LSWK2019Eujk1HT tw/MttEHdUdhsm2o+52fWrEcRRWVNSp2ONJTFnBO/KQkrpV7WDbD407SJZP8xiUQUt l8FK3JNRCCHRC2CwYXdb6/w7f0hLS+bn465MT4/BB8qapBmJVwgzSQGvZWUsbdXrou goR0h4Nb2O0PvPr9WuWObS5WUVOnsCMglfSFkik09ZBXMNFLDLvnxccaGQBZRc73oo b3qbSENMTU/WSJQD+/4zBSlBkSKw2wKK9QyF2kNPCmfT1FXI8ot/5ee34CC+J/gVK7 oRPR6Ggj1eGDA== X-Received: by 2002:a4a:2cc9:: with SMTP id o192mr6769657ooo.66.1608464199562; Sun, 20 Dec 2020 03:36:39 -0800 (PST) MIME-Version: 1.0 References: <20201220110651.13432-1-sakari.ailus@linux.intel.com> In-Reply-To: <20201220110651.13432-1-sakari.ailus@linux.intel.com> From: Arnd Bergmann Date: Sun, 20 Dec 2020 12:36:23 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/1] v4l: ioctl: Fix memory leak in video_usercopy To: Sakari Ailus Cc: Linux Media Mailing List , syzbot , Arnd Bergmann , Hans Verkuil , Laurent Pinchart , "linux-kernel@vger.kernel.org" , Mauro Carvalho Chehab , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Dec 20, 2020 at 12:06 PM Sakari Ailus wrote: > > When an IOCTL with argument size larger than 128 that also used array > arguments were handled, two memory allocations were made but alas, only > the latter one of them was released. This happened because there was only > a single local variable to hold such a temporary allocation. > > Fix this by adding separate variables to hold the pointers to the > temporary allocations. > > Reported-by: Arnd Bergmann > Reported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com > Fixes: d14e6d76ebf7 ("[media] v4l: Add multi-planar ioctl handling code") > Cc: stable@vger.kernel.org > Signed-off-by: Sakari Ailus Acked-by: Arnd Bergmann > out: > + kvfree(array_buf); > kvfree(mbuf); I think it would make sense to change mbuf back to kzalloc()/kfree after this, since the size of the ioctl argument has an upper bound of 2^_IOC_SIZEBITS (16KB), which does not need the vmalloc path, unlike the array args. Arnd