Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp929180pxb;
        Wed, 13 Jan 2021 21:04:48 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzuViiEo6Ks8uhUssa73VVlZAJMf1W1qlSzqn/ft488AhDNlBA3u+xaguu8GxUT4WG62+OL
X-Received: by 2002:a17:906:1288:: with SMTP id k8mr3901221ejb.206.1610600688517;
        Wed, 13 Jan 2021 21:04:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610600688; cv=none;
        d=google.com; s=arc-20160816;
        b=Z0SQ+AtODT3KO8tuxSxwjimtU8tDGN466ATR6v+iIcsD3/dcONkQSJSJMFNf1EymnG
         m9YoRR/u0aNxhoa+yP1KcX/8DHMO5vqqGOPP7C0LeGYK0SHmzArst5ZMDUQRV8MF6CwK
         Ok9q+nbHgOBQeR1LacX2hZIFoFjipHHdUJIRM9HUn5PNQ/v7A1rse6YKnibqbNRA/Lnn
         XSZzwvsPdsNH0Mh7aAbLjktiRQhSnYzAI4ALJ7gyqHZU2coKQeerTRdkIQB0JS1Fxxxi
         WylDATi7h8H8VXBQuGjEusnsd2a0RzZe33XSA0Ii3G5E9NgpRfRA0YTiOmXjf1hDab1a
         736w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:references:cc
         :to:from:subject:ironport-sdr:ironport-sdr;
        bh=qVlW17A0aqt2K1NKiWfiI7I0cauYQ7D4XbDP2pZt4nE=;
        b=iGXzXkoMU+uD2sMzRoMJnVVK85NciNx1jeBpp38kq9WxkKqot5mcpebeSqgxDhnSTE
         SH+J75edbzyIjl1K9BfasGPI+WrwNqiRHmWpip5UzjR89tLyclZTx4iwQB8YW9nkVFh7
         +teVeI5M9Zyxp5vcen2w7XjhxkYNhTXigHt1aJ+GnHzfYb7YPqVdfUt2hTEXOeVWIefA
         fUTwJJanyFzBqVB15oC/Vc2LoUee0tmtBfuA92dPX21dWnS/JAJ9jAeO2Q75B7KyoCLV
         aNF4Y+DDaXW6xH/7XumIWTUDns4XTYJ8oxaxGwhfTWR0ieRRJ+NJ+3bB3L4lMIKyDpay
         2sbA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w24si226827eds.15.2021.01.13.21.04.25;
        Wed, 13 Jan 2021 21:04:48 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726140AbhANFCu (ORCPT <rfc822;liu198754@gmail.com> + 99 others);
        Thu, 14 Jan 2021 00:02:50 -0500
Received: from mga14.intel.com ([192.55.52.115]:56291 "EHLO mga14.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725841AbhANFCu (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 14 Jan 2021 00:02:50 -0500
IronPort-SDR: 2evkBKie8j4m6YUa9ZNEOVLtHEbKEkxJqGMHemFZD2/iOtD65NaLO38G8Sc95dM5Wi/SGUUMYQ
 yufVz4MGMigQ==
X-IronPort-AV: E=McAfee;i="6000,8403,9863"; a="177531197"
X-IronPort-AV: E=Sophos;i="5.79,346,1602572400"; 
   d="scan'208";a="177531197"
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2021 21:01:04 -0800
IronPort-SDR: Aq1bVifH5L/5VZ84+HyvvunwmqkKFOA4ZiEg7DLSKP3oIL65Oui/pCjATYJPe7wamd0O2+10ak
 6N2w66aB4+mw==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.79,346,1602572400"; 
   d="scan'208";a="364112319"
Received: from ipu5-build.bj.intel.com (HELO [10.238.232.196]) ([10.238.232.196])
  by orsmga002.jf.intel.com with ESMTP; 13 Jan 2021 21:01:02 -0800
Subject: Re: [PATCH v2 1/1] v4l: ioctl: Fix memory leak in video_usercopy
From:   Bingbu Cao <bingbu.cao@linux.intel.com>
To:     Sakari Ailus <sakari.ailus@linux.intel.com>,
        linux-media@vger.kernel.org
Cc:     Arnd Bergmann <arnd@kernel.org>,
        syzbot <syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Hans Verkuil <hverkuil-cisco@xs4all.nl>,
        Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Mauro Carvalho Chehab <mchehab@kernel.org>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>
References: <20201220201124.13688-1-sakari.ailus@linux.intel.com>
 <29c100a1-cfea-9312-1d83-2d3b0c1c02d4@linux.intel.com>
Message-ID: <9ece0e2b-0a83-a986-5987-b9dd354d61c1@linux.intel.com>
Date:   Thu, 14 Jan 2021 12:59:05 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <29c100a1-cfea-9312-1d83-2d3b0c1c02d4@linux.intel.com>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 1/14/21 12:50 PM, Bingbu Cao wrote:
> Sakari,
> 
> On 12/21/20 4:11 AM, Sakari Ailus wrote:
>> When an IOCTL with argument size larger than 128 that also used array
>> arguments were handled, two memory allocations were made but alas, only
>> the latter one of them was released. This happened because there was only
>> a single local variable to hold such a temporary allocation.
>>
>> Fix this by adding separate variables to hold the pointers to the
>> temporary allocations.
>>
>> Reported-by: Arnd Bergmann <arnd@kernel.org>
>> Reported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com
>> Fixes: d14e6d76ebf7 ("[media] v4l: Add multi-planar ioctl handling code")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
>> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
>> ---
>>  drivers/media/v4l2-core/v4l2-ioctl.c | 32 ++++++++++++----------------
>>  1 file changed, 14 insertions(+), 18 deletions(-)
>>
>> diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
>> index 3198abdd538c..9906b41004e9 100644
>> --- a/drivers/media/v4l2-core/v4l2-ioctl.c
>> +++ b/drivers/media/v4l2-core/v4l2-ioctl.c
>> @@ -3283,7 +3283,7 @@ video_usercopy(struct file *file, unsigned int orig_cmd, unsigned long arg,
>>  	       v4l2_kioctl func)
>>  {
>>  	char	sbuf[128];
>> -	void    *mbuf = NULL;
>> +	void    *mbuf = NULL, *array_buf = NULL;
>>  	void	*parg = (void *)arg;
>>  	long	err  = -EINVAL;
>>  	bool	has_array_args;
>> @@ -3318,27 +3318,21 @@ video_usercopy(struct file *file, unsigned int orig_cmd, unsigned long arg,
>>  	has_array_args = err;
>>  
>>  	if (has_array_args) {
>> -		/*
>> -		 * When adding new types of array args, make sure that the
>> -		 * parent argument to ioctl (which contains the pointer to the
>> -		 * array) fits into sbuf (so that mbuf will still remain
>> -		 * unused up to here).
>> -		 */
>> -		mbuf = kvmalloc(array_size, GFP_KERNEL);
>> +		array_buf = kvmalloc(array_size, GFP_KERNEL);
>>  		err = -ENOMEM;
>> -		if (NULL == mbuf)
>> +		if (array_buf == NULL)
> 
> if (!array_buf)
> ?
> 
Please ignore my previous comment, as the patch was landed. :)
....
-- 
Best regards,
Bingbu Cao