Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp4900651pxb; Tue, 25 Jan 2022 23:37:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJyzpWBiGgvQszh1aIm+gW+GYw64pOhvdMx1SjEOw/Y9jOn34sOBGCC7GUj++xa79a+umJpy X-Received: by 2002:a17:90b:1b04:: with SMTP id nu4mr7629121pjb.214.1643182633527; Tue, 25 Jan 2022 23:37:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643182633; cv=none; d=google.com; s=arc-20160816; b=QzcCZo7INLA/PvC9SNbkzUn5h9V91CBQsRFpSMHvfJ1p1iH5qHzAlyHP0zX1ZJsIkQ c9IlSI6caMIHKKD+SoW6XSxCO6w9b7riIVkLeQ9yPxHGvOj7vNJ0M/NqCKxIoEJsF8WU V0oeiHFPn8bELo+95yAa1kFS8rm+2kTxXn57Hp8yd/m6jUYhAh0U2qkRUHD+XkjNGxNA p780duLyR5gv8aCKtyhf1vaxKBCh30sYx/WQ5Jyfr8v+6wJmdcwdfgoaBeGNoer95dGv MqohRiJOw6xiLRo7Rby/EY2LoTzukkFNFHknZGMkPBiSoemG9qtjwo8ecK6iMsGq9OEg d2gQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=eyhVVgnYooxs4w4We1+LKSJJZTvTfr3x5yWUa8pnpNo=; b=YV8FLzavsdsxUN6nuZ/yL3noN5leuLAUbLSTnXW212p+aEens5oFwZJf5BxQh2nPHy qj5NTMaZkjof6ToDza2i2Se9dHKFrIZ88gTJDJCGMFkHEpTXGH96YOl3zmt9ggb+Blt9 T6v4j/0MXI3c3fWy39V/Yonm1I7ZKhgCcuuvMGqbyzOH6Yahd8h2cYRRdiuSEYnUTipR OArE48tXY0IeJRn2w5fdwIp3tFwxXNJORZKLJDzbzjTVVBuX6Pi348+p3QvIbIyCwZsq dnwoMGYTpfZm1JOKkUVGd20TzcjpE4VvoarGiP8VLnnwf+lPo5QkIt2QK7SoWEyHPunZ BZrQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 9si16871329pll.118.2022.01.25.23.37.01; Tue, 25 Jan 2022 23:37:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229873AbiAYTVI (ORCPT + 99 others); Tue, 25 Jan 2022 14:21:08 -0500 Received: from jabberwock.ucw.cz ([46.255.230.98]:50250 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229739AbiAYTUn (ORCPT ); Tue, 25 Jan 2022 14:20:43 -0500 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 064A61C0B88; Tue, 25 Jan 2022 20:20:39 +0100 (CET) Date: Tue, 25 Jan 2022 20:20:38 +0100 From: Pavel Machek To: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, rkardell@mida.se, Mauro Carvalho Chehab , Sasha Levin Subject: Re: [PATCH 4.4 066/114] media: m920x: dont use stack on USB reads Message-ID: <20220125192038.GB5395@duo.ucw.cz> References: <20220124183927.095545464@linuxfoundation.org> <20220124183929.139516454@linuxfoundation.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1LKvkjL3sHcu1TtY" Content-Disposition: inline In-Reply-To: <20220124183929.139516454@linuxfoundation.org> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --1LKvkjL3sHcu1TtY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > From: Mauro Carvalho Chehab >=20 > [ Upstream commit a2ab06d7c4d6bfd0b545a768247a70463e977e27 ] >=20 > Using stack-allocated pointers for USB message data don't work. > This driver is almost OK with that, except for the I2C read > logic. >=20 > Fix it by using a temporary read buffer, just like on all other > calls to m920x_read(). Maybe the driver is buggy, but the fix is not okay. > +++ b/drivers/media/usb/dvb-usb/m920x.c > @@ -284,6 +284,13 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, = struct i2c_msg msg[], int nu > /* Should check for ack here, if we knew how. */ > } > if (msg[i].flags & I2C_M_RD) { > + char *read =3D kmalloc(1, GFP_KERNEL); > + if (!read) { > + ret =3D -ENOMEM; > + kfree(read); kfree(NULL). You probably did not want to do that. > + goto unlock; > + } > + > for (j =3D 0; j < msg[i].len; j++) { > /* Last byte of transaction? > * Send STOP, otherwise send ACK. */ > @@ -291,9 +298,12 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, = struct i2c_msg msg[], int nu > =20 > if ((ret =3D m920x_read(d->udev, M9206_I2C, 0x0, > 0x20 | stop, > - &msg[i].buf[j], 1)) !=3D 0) > + read, 1)) !=3D 0) > goto unlock; Memory leak here. > + msg[i].buf[j] =3D read[0]; > } > + > + kfree(read); > } else { > for (j =3D 0; j < msg[i].len; j++) { > /* Last byte of transaction? Then send STOP. */ Plus really running malloc in a loop like that looks strange. Anyway, this should stop the leaks. Best regards, Pavel diff --git a/drivers/media/usb/dvb-usb/m920x.c b/drivers/media/usb/dvb-usb/= m920x.c index 691e05833db1..da81fa189b5d 100644 --- a/drivers/media/usb/dvb-usb/m920x.c +++ b/drivers/media/usb/dvb-usb/m920x.c @@ -277,7 +277,6 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, str= uct i2c_msg msg[], int nu char *read =3D kmalloc(1, GFP_KERNEL); if (!read) { ret =3D -ENOMEM; - kfree(read); goto unlock; } =20 @@ -288,8 +287,10 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, st= ruct i2c_msg msg[], int nu =20 if ((ret =3D m920x_read(d->udev, M9206_I2C, 0x0, 0x20 | stop, - read, 1)) !=3D 0) + read, 1)) !=3D 0) { + kfree(read); goto unlock; + } msg[i].buf[j] =3D read[0]; } =20 --=20 DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany --1LKvkjL3sHcu1TtY Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCYfBNhgAKCRAw5/Bqldv6 8t7LAJoDhqGxBvYonwdoJn/5f2zVgq8lOACgt6NRIlXWvC7bZ4FmODlxwjEKzoQ= =3Hof -----END PGP SIGNATURE----- --1LKvkjL3sHcu1TtY--