Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2873341rwb; Mon, 7 Nov 2022 20:02:20 -0800 (PST) X-Google-Smtp-Source: AMsMyM5IFRBqUKSESvoCCZXHC++nY6CyabSDFpIN0u4+BoKSPxBWgQ+MRFoY2euX7bLwIj3I5xYO X-Received: by 2002:a17:903:1c2:b0:187:feb:1f31 with SMTP id e2-20020a17090301c200b001870feb1f31mr50853584plh.92.1667880140081; Mon, 07 Nov 2022 20:02:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667880140; cv=none; d=google.com; s=arc-20160816; b=KLjC6umdNijwiip8KT/0XsdPMv3d8X9yIB+ZjOrnOHH7Pm/fZzGXen0BFGPi9yVQbJ hyGqDFf3K1NraY1ABziY3ueRkmx+j3sxtZCrXhAQqOJtf7z1igncIEhbsQ0zAvKUXUni f2sPBYY0PvToBGdFuiO6g4Ylv7kmZ6PSzjy5Ld0bgwpAJaI8BhMf90X36QnVZv5mTulc c9q0XtXwB1XxAgj1GQgqq0w3Mj7wsY7jyUvqTh2CbCozRBw512yFvocj+6hGIQxEKLtm L+GcORtVu8qfGDOlyHAQOK6ylW/yRwDaBC+FogjdLLKzeE3kCJ3sg/48VyiM8cLnYwQW Ff2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=gCAby3eKvzna6yajE6ngK799CUb/g6j3zrqQii0DvWU=; b=ENt7p3uI9UYl50Mgh8dlHiuELbDYqybh0cIAxlKiSrCI6Du1VibbBZDlPIHH+9kK3k 6x42EbDqJgl9/P6rvzagRN4671DlrkvqZMfTa+4oEOKoPgmJDWLL0J1H9VmyuwCAJhkh /vrQ1dWZaUe2lBy4Tp1nOxzXwlxs851vJzXPJdfBjUGuap68JFkbPKYwHsoBFG7tAnux Js2E7FwZHK6opHg3gLoxFcgfrVJQXpeLBludFjkll8H4hG1W0Ei375K/X2sCU3tPm9hr 4pM4iIBhRuhWI00QNfL6T2Uzp3X1QUs9Pb+i1rOTp5dDIN1YtDLsAbXR2FYEKZ+CnLeN ViSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qb4-20020a17090b280400b0020acb709898si13029753pjb.184.2022.11.07.20.02.07; Mon, 07 Nov 2022 20:02:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233370AbiKHDe0 (ORCPT + 92 others); Mon, 7 Nov 2022 22:34:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233376AbiKHDeI (ORCPT ); Mon, 7 Nov 2022 22:34:08 -0500 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34E44B71; Mon, 7 Nov 2022 19:33:21 -0800 (PST) Received: from dggpemm500022.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4N5tw75355zHvn5; Tue, 8 Nov 2022 11:32:55 +0800 (CST) Received: from dggpemm500013.china.huawei.com (7.185.36.172) by dggpemm500022.china.huawei.com (7.185.36.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 8 Nov 2022 11:33:19 +0800 Received: from ubuntu1804.huawei.com (10.67.175.36) by dggpemm500013.china.huawei.com (7.185.36.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 8 Nov 2022 11:33:19 +0800 From: Chen Zhongjin To: , CC: , , Subject: [PATCH] media: dvb-core: Fix ignored return value in dvb_register_frontend() Date: Tue, 8 Nov 2022 11:30:05 +0800 Message-ID: <20221108033005.169095-1-chenzhongjin@huawei.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.67.175.36] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To dggpemm500013.china.huawei.com (7.185.36.172) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In dvb_register_frontend(), dvb_register_device() is possible to fail but its return value is ignored. It will cause use-after-free when module is removed, because in dvb_unregister_frontend() it tries to unregister a not registered device. BUG: KASAN: use-after-free in dvb_remove_device+0x18b/0x1f0 [dvb_core] Read of size 4 at addr ffff88800dff4824 by task rmmod/428 CPU: 3 PID: 428 Comm: rmmod Call Trace: ... dvb_remove_device+0x18b/0x1f0 [dvb_core] dvb_unregister_frontend+0x7b/0x130 [dvb_core] vidtv_bridge_remove+0x6e/0x160 [dvb_vidtv_bridge] ... Fix this by catching return value of dvb_register_device(). However the fe->refcount can't be put to zero immediately, because there are still modules calling dvb_frontend_detach() when dvb_register_frontend() fails. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Chen Zhongjin --- drivers/media/dvb-core/dvb_frontend.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c index 48e735cdbe6b..a7792ef4baf8 100644 --- a/drivers/media/dvb-core/dvb_frontend.c +++ b/drivers/media/dvb-core/dvb_frontend.c @@ -2986,6 +2986,7 @@ int dvb_register_frontend(struct dvb_adapter *dvb, .name = fe->ops.info.name, #endif }; + int ret; dev_dbg(dvb->device, "%s:\n", __func__); @@ -3019,8 +3020,13 @@ int dvb_register_frontend(struct dvb_adapter *dvb, "DVB: registering adapter %i frontend %i (%s)...\n", fe->dvb->num, fe->id, fe->ops.info.name); - dvb_register_device(fe->dvb, &fepriv->dvbdev, &dvbdev_template, + ret = dvb_register_device(fe->dvb, &fepriv->dvbdev, &dvbdev_template, fe, DVB_DEVICE_FRONTEND, 0); + if (ret) { + dvb_frontend_put(fe); + mutex_unlock(&frontend_mutex); + return ret; + } /* * Initialize the cache to the proper values according with the -- 2.17.1