Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp9363315rwl; Wed, 11 Jan 2023 04:58:32 -0800 (PST) X-Google-Smtp-Source: AMrXdXteoawzgVEC41XWfKMQVN2RNQ7ZAO6AGPSWcB93OXkzRS4sFFkhn4+QOyVQIxBVa8/TnS9x X-Received: by 2002:a17:90b:2786:b0:221:7043:74c4 with SMTP id pw6-20020a17090b278600b00221704374c4mr73010115pjb.13.1673441912050; Wed, 11 Jan 2023 04:58:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673441912; cv=none; d=google.com; s=arc-20160816; b=qxRCEPm5F0fUr5FgWetgiMqPBKKxLmt2rSudlnDtfaWui0GcRzU5OzW0pe9TZip1lK SOmuYd0RtPMo6ZcLejlx4QReVkZK1A0MCdAsNTi2ibchJUjUSGzB9RUZdXzumx5XsScG gRH8revLXRgF+okVl0iG9gm38/8eH8BRa5Gv8h+Kbmc5+g2+tC3Ea12Y0OGyCt9ESqsw VFUpRwfXyYvj764lwYUcLyHOabcOgQCj8xy2k1cwu79O0HcRjGrOYHSgEMc5EW7QTjD+ JCILupd6ZCdA0m3NS3OnTwCd50kqmqWTHS9THGQLBXq7VyrLtcyj5K0qODpf9hEprngF FYIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=/SfV/BmxfgdOOg5a6VYc2jWBCaoBDxbExawT4jBtqtI=; b=hP+AsTCDnc8x4sNiSQyLx/18oawZXGLoRiEGPAndslCvNo8B6I/MSk1c4Sc92xDzz7 8ipVIzubDncCg4o42ygHOJJasgcg59D42Zv3IyMaF/1EM/1jeC5x0B68+jOPQ/Tahjdz oE3G17VBfXCQFTuT+HfCzOhQLu7W2ybQbJAIHODmuIN0fEwhM9ToC+ZE7J5sPAtN3G8j +fH/l2QrdMp4PWknSb+529y4wa3mbqVEddqXSwD56/lNUJGjzUC3AGHwcc33f329twaD pImPBmJGKXOFCRl916mT4GfjzlQB2nf5ChgP5YAdPmWAtni407g9MvMFLTOV/dPBQdKk L4Uw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="O7/jUWap"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r6-20020a63d906000000b00477c2326410si14839469pgg.298.2023.01.11.04.58.25; Wed, 11 Jan 2023 04:58:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="O7/jUWap"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230407AbjAKMhV (ORCPT + 53 others); Wed, 11 Jan 2023 07:37:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48104 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231420AbjAKMhR (ORCPT ); Wed, 11 Jan 2023 07:37:17 -0500 Received: from mail-pl1-x643.google.com (mail-pl1-x643.google.com [IPv6:2607:f8b0:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 532B228A; Wed, 11 Jan 2023 04:37:16 -0800 (PST) Received: by mail-pl1-x643.google.com with SMTP id c6so16650209pls.4; Wed, 11 Jan 2023 04:37:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=/SfV/BmxfgdOOg5a6VYc2jWBCaoBDxbExawT4jBtqtI=; b=O7/jUWap8/638xgc1Ns5tmKeXTVrPsNk54AfACcQGv9yvWZk1ra/GkWfNnS+mKj4Wz uYE2up5XVY8j/4rdhu83e72UpnNlYVsBe1v0buspaQyq1wEsBhFqs4LLRORvzxsYeeZo SfjYGP2FKujTTmrvyXe4kyTcSFhyvQn5E6ENkvnH2LFlwL5Vk9PlullK5Ia5qshMHw1U qC1ceLtVOEZdMIRlBkEl5NCi+yWjrzz8oa586FzZw6lS0dU0lRBURInquiitvcIkVz8L suciE74D914UNRjFY7wgVQR8BtaedeT4U2onJu2NwiHlhv43ZZHGWz9suqr14hR6Qpy+ 6q9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/SfV/BmxfgdOOg5a6VYc2jWBCaoBDxbExawT4jBtqtI=; b=fcQSEaaDa+8tiiiLwuedQOqY0VxlRvzAJwFIJE8K8aygEzB3Crp+kJNgU2pAOxyu6D Wi9xOrhQY1pr73SRbMLBoR+fZ7wcAz7laWW4mn12yWaB9oFt4lLjlGwEiXDxUNFsll7e 6uzIvmQ1KjJExKxX2OkU1pnrndduoWjLH5Rf6IsxbHHaWF01NHISSSNuUdu/nk/9q13f r/UCoY3DZVVED65e0TmFKC0RHhBxuIV9FiNbDp/iuA6miBTqwoOZvb/MkRwrpJ49mQLu kjraR2mug4XIXw5DLMZyB6RsWrO9b0B3nZGHBa6m0U82gYeOP3NiNe/bDCbp031KmKFY KtDg== X-Gm-Message-State: AFqh2kqHyzrUSIXFVm4lIuqjJOIqPoMFsUMAlZH1VYQ/h1/L9efDS3BD QlGFV6dkmN6e1/wW9EQlA+8xazdLe1FwLg== X-Received: by 2002:a17:902:f791:b0:192:5ec4:6656 with SMTP id q17-20020a170902f79100b001925ec46656mr74448750pln.3.1673440635738; Wed, 11 Jan 2023 04:37:15 -0800 (PST) Received: from localhost.localdomain ([43.132.141.3]) by smtp.gmail.com with ESMTPSA id im22-20020a170902bb1600b00186748fe6ccsm10015648plb.214.2023.01.11.04.37.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Jan 2023 04:37:15 -0800 (PST) From: korantwork@gmail.com To: hverkuil-cisco@xs4all.nl, mchehab@kernel.org Cc: linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, Xinghui Li , loydlv Subject: [PATCH] media:cec:fix double free and uaf issue when cancel data during noblocking Date: Wed, 11 Jan 2023 20:37:12 +0800 Message-Id: <20230111123712.160882-1-korantwork@gmail.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xinghui Li data could be free when it is not completed during transmit if the opt is nonblocking.In this case,the regular free could lead to double-free.So, add the return value '-EPERM' to mark the above case. Reported-by: loydlv Signed-off-by: Xinghui Li --- drivers/media/cec/core/cec-adap.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c index 4f5ab3cae8a7..c2ba8d1173c1 100644 --- a/drivers/media/cec/core/cec-adap.c +++ b/drivers/media/cec/core/cec-adap.c @@ -311,7 +311,7 @@ static void cec_post_state_event(struct cec_adapter *adap) * * This function is called with adap->lock held. */ -static void cec_data_completed(struct cec_data *data) +static int cec_data_completed(struct cec_data *data) { /* * Delete this transmit from the filehandle's xfer_list since @@ -339,7 +339,9 @@ static void cec_data_completed(struct cec_data *data) if (data->fh) cec_queue_msg_fh(data->fh, &data->msg); kfree(data); + return -EPERM; } + return 0; } /* @@ -349,7 +351,7 @@ static void cec_data_completed(struct cec_data *data) * * This function is called with adap->lock held. */ -static void cec_data_cancel(struct cec_data *data, u8 tx_status, u8 rx_status) +static int cec_data_cancel(struct cec_data *data, u8 tx_status, u8 rx_status) { struct cec_adapter *adap = data->adap; @@ -388,7 +390,7 @@ static void cec_data_cancel(struct cec_data *data, u8 tx_status, u8 rx_status) /* Allow drivers to process the message first */ call_op(adap, received, &data->msg); - cec_data_completed(data); + return cec_data_completed(data); } /* @@ -744,6 +746,7 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg, { struct cec_data *data; bool is_raw = msg_is_raw(msg); + int ret = 0; if (adap->devnode.unregistered) return -ENODEV; @@ -916,18 +919,20 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg, /* Cancel the transmit if it was interrupted */ if (!data->completed) { if (data->msg.tx_status & CEC_TX_STATUS_OK) - cec_data_cancel(data, CEC_TX_STATUS_OK, CEC_RX_STATUS_ABORTED); + ret = cec_data_cancel(data, CEC_TX_STATUS_OK, CEC_RX_STATUS_ABORTED); else - cec_data_cancel(data, CEC_TX_STATUS_ABORTED, 0); + ret = cec_data_cancel(data, CEC_TX_STATUS_ABORTED, 0); } /* The transmit completed (possibly with an error) */ - *msg = data->msg; - if (WARN_ON(!list_empty(&data->list))) - list_del(&data->list); - if (WARN_ON(!list_empty(&data->xfer_list))) - list_del(&data->xfer_list); - kfree(data); + if (!ret) { + *msg = data->msg; + if (WARN_ON(!list_empty(&data->list))) + list_del(&data->list); + if (WARN_ON(!list_empty(&data->xfer_list))) + list_del(&data->xfer_list); + kfree(data); + } return 0; } -- 2.34.1