Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp9036956pxu; Mon, 28 Dec 2020 05:05:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJyLzSdx3KJF9UReJB5rnbMx7lsPGBFje5aP/F2Lf1OY1YhUKu7E2Ht5pj7M5qCvpgUIiGZI X-Received: by 2002:aa7:c78c:: with SMTP id n12mr42947155eds.363.1609160742144; Mon, 28 Dec 2020 05:05:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609160742; cv=none; d=google.com; s=arc-20160816; b=xGl9fMZBcDtfGopWVCdlqKrxhKuqb6cdob/uPbsJZtqZqaRQEgftr4PFT3bEXuAaA5 8+EwjFKHnvKtm46O1KUdBKGwPNX+3n00rDD+xltg5d0TPLQJNharZMg3ABobgQD4sEOY GlMBt5l4aBU6KGPL8O7ctHY+AS8nBVr4WaWnGbk+pmh8goozcs+FxxVy1GguCuYU1W9/ tUBVMc6nkGlj5FUVludIX0ZoDerzwChNJHjjbVBX4ymnUVMmmdoSo0bZVYr7zYlv4mpf EwlmOshaxxBLYUz0bkg7vjTeoyCdwe6RKV5imIlso2p7s3hSEvkxTHDtqFpJ6cxqfPan 8A/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from; bh=WX04HXW3WO6lx+AleSwnDsCIsi6v6eUlh44MAZEwLWs=; b=KpHC8Mt+WYxJfHhvhMYZh0wtda7XidXJ4eVPqpFW2/A53JEQFGmoKOrYIhSEGEzx7p uNKWis+LrlTBCXv0ceGkbl6I6bGJCoYBxIgw7uW21giITL//SPf9qs8TgSNPe0HYW++e pchl/W5iBHRWgyNt1F14IXTbpQEi262PqkYfkVusJW7rA9ohK7sLAUXvRksZh2k9JXQl ouvjG0/38tk6ptlfzy+npNxfWMBl4PC+hcYK3Z2SgFU08EMCgBTmfeFVyRP3D7laeGyv G/NVm/Zs+vQit1dwGa23eOtf/DbaKyHAOIlCi2qju9Ya34zWEar8jRNN4Vkec0eKPUyG Ni/g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h8si18669350ejf.491.2020.12.28.05.05.17; Mon, 28 Dec 2020 05:05:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728766AbgL1NDP (ORCPT + 99 others); Mon, 28 Dec 2020 08:03:15 -0500 Received: from mail.zju.edu.cn ([61.164.42.155]:44474 "EHLO zju.edu.cn" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730172AbgL1NDJ (ORCPT ); Mon, 28 Dec 2020 08:03:09 -0500 Received: from localhost.localdomain (unknown [222.205.25.254]) by mail-app4 (Coremail) with SMTP id cS_KCgBnIzhO1+lfx9EiAA--.57389S4; Mon, 28 Dec 2020 21:02:10 +0800 (CST) From: Dinghao Liu To: dinghao.liu@zju.edu.cn, kjlu@umn.edu Cc: Mauro Carvalho Chehab , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] media: em28xx: Fix use-after-free in em28xx_alloc_urbs Date: Mon, 28 Dec 2020 21:02:05 +0800 Message-Id: <20201228130205.14381-1-dinghao.liu@zju.edu.cn> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID: cS_KCgBnIzhO1+lfx9EiAA--.57389S4 X-Coremail-Antispam: 1UD129KBjvdXoWrKF1ftrWUJFyxXw15Ary7Wrg_yoWkCrb_Cr 4UXrW7Xr1rJ3Z3Xw1DGw1Yyr9Fyr43Xr4xWFyrtas5GryUKa4jg3Z8Wrn3GanrZasrZw15 Xr1qqF4q9rn8CjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbI8Fc2x0x2IEx4CE42xK8VAvwI8IcIk0rVWrJVCq3wAFIxvE14AK wVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK021l84ACjcxK6xIIjxv20x vE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4UJVW0owA2z4x0Y4vEx4A2 jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oVCq3wAS0I0E0xvYzxvE52 x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUJVWU GwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI4 8JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwCY02Avz4vE14v_Xr4l42xK82IYc2Ij64vIr41l 42xK82IY6x8ErcxFaVAv8VW8uw4UJr1UMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I 8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUAVWU twCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x 0267AKxVWUJVW8JwCI42IY6xAIw20EY4v20xvaj40_WFyUJVCq3wCI42IY6I8E87Iv67AK xVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvj fUnpnQUUUUU X-CM-SenderInfo: qrrzjiaqtzq6lmxovvfxof0/1tbiAgYEBlZdtRrnPgAesl Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When kzalloc() fails, em28xx_uninit_usb_xfer() will free usb_bufs->buf and set it to NULL. Thus the later access to usb_bufs->buf[i] will lead to null pointer dereference. Also the kfree(usb_bufs->buf) after that is redundant. Fixes: d571b592c6206 ("media: em28xx: don't use coherent buffer for DMA transfers") Signed-off-by: Dinghao Liu --- drivers/media/usb/em28xx/em28xx-core.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c index e6088b5d1b80..3daa64bb1e1d 100644 --- a/drivers/media/usb/em28xx/em28xx-core.c +++ b/drivers/media/usb/em28xx/em28xx-core.c @@ -956,14 +956,10 @@ int em28xx_alloc_urbs(struct em28xx *dev, enum em28xx_mode mode, int xfer_bulk, usb_bufs->buf[i] = kzalloc(sb_size, GFP_KERNEL); if (!usb_bufs->buf[i]) { - em28xx_uninit_usb_xfer(dev, mode); - for (i--; i >= 0; i--) kfree(usb_bufs->buf[i]); - kfree(usb_bufs->buf); - usb_bufs->buf = NULL; - + em28xx_uninit_usb_xfer(dev, mode); return -ENOMEM; } -- 2.17.1