Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp460994rwb;
        Wed, 18 Jan 2023 21:01:25 -0800 (PST)
X-Google-Smtp-Source: AMrXdXvQZlhK8HTYTBr8KMlcPjFtjLtYXSccWs80FLLe2gPYUfQexZK+APzcB8rLb/iy++LbVMv+
X-Received: by 2002:a17:902:7b98:b0:189:9031:6761 with SMTP id w24-20020a1709027b9800b0018990316761mr9572427pll.22.1674104484801;
        Wed, 18 Jan 2023 21:01:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1674104484; cv=none;
        d=google.com; s=arc-20160816;
        b=fndUK/lNmkACAs7xicDvY9shBcwdsqXpUyPIKViQPAjp29CrZ4ORbbBtQH2gCQhNnU
         K30PnOTl8pEe0AVp4YY0j+eOw6dq9Q9NWNyOUvdgzPkL/HJR0N2kINlZELuIcSd4kgh4
         5lPUovQO0FpPGNY3+jNVwBymnJU2Y82Q6Q9W/vsooJaxYzX8fLdEnfu/RE36lctIqdVE
         K1QJMvKZIBfTlEz18lmn45Wyj3VEU/Rzm1uXCz1ecjfaLU9UDMDOqIHoC0yqlxXN+Ihz
         nN1oqc1DGP7sEBAqaoMk2uOEF7DdH6+43ubl1yk5U/+B8ntBCDXYKmFORJA+br1Jqz9z
         jjoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :in-reply-to:references:thread-topic:message-id:cc:to:from:subject
         :date:user-agent:dkim-signature;
        bh=uB53X8NfVOcgU/1u8f7B1T9n/HDCJATuCsWMqfxTUps=;
        b=sLzfDoej5OmNJns/w10kashdNgHOj5I4A5zKxrlfi0Q3IRwXcv471QhAuppdCHMhyR
         Dd/HEP3OrmpH//bns6+83ug51zVfIgX30osTKvKD78VM9mVlSRY8rtnpwZ1cUCJTgWpI
         hmeQ6AcCPuu1xMyCG8IH80aEKdLv9/xL2R9VoHqhiYAJW8L/ESs+t6U+93JWjiqMr983
         JvWdtLDZj7fk+vQxSEMdW2rrVrvdPxT4AJ2VbSoT8Te3mFZrjciGZ+LAcvQ32zVemE1d
         ylckCAqjTw8jN8BqswrUEiAL4Df+D938znbMn5pxtTLTu6OEUJbHGIyR/92pH8+Ec4cV
         MCbQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=OMI8mG9R;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id x14-20020a170902ec8e00b001925dbac333si28518944plg.312.2023.01.18.21.01.18;
        Wed, 18 Jan 2023 21:01:24 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=OMI8mG9R;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230024AbjASE56 (ORCPT <rfc822;abhi.c.pawar@gmail.com>
        + 46 others); Wed, 18 Jan 2023 23:57:58 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42768 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229658AbjASE5i (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 Jan 2023 23:57:38 -0500
Received: from mail-pl1-x642.google.com (mail-pl1-x642.google.com [IPv6:2607:f8b0:4864:20::642])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C24C173B;
        Wed, 18 Jan 2023 20:49:29 -0800 (PST)
Received: by mail-pl1-x642.google.com with SMTP id k13so1291669plg.0;
        Wed, 18 Jan 2023 20:49:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-transfer-encoding:mime-version:in-reply-to:references
         :thread-topic:message-id:cc:to:from:subject:date:user-agent:from:to
         :cc:subject:date:message-id:reply-to;
        bh=uB53X8NfVOcgU/1u8f7B1T9n/HDCJATuCsWMqfxTUps=;
        b=OMI8mG9R2PcTK+5KpVpio21Q3y8wuh7F0PJ+eukS/KqNW18KCUd3DdlNokOCzLDWQi
         OQKUlKTexwONbHJrEjE85d1T6cggfRQsNUZLi9bENYuw1QW3gR7StN0SWi22t2ghbggN
         uBIw3uYBAGIG1K6U2wjPCdK0aqpbpdU/NQ7wrorTekoYfVolHCRxrHcQMkYJd1Fh4TU0
         /QUyWkDXR+D4r/wXuEqDXTWO4BsPdul8az7kfuksGA/vEd5+4w/VQgb3XzIcvZXVH6GE
         3cbHaDuNc+Luk5JClZ1I3vtqlTv1DgwdAKiiJrATl95R4hUKKu+CrHjcpzDHmJVApcVP
         n/ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:in-reply-to:references
         :thread-topic:message-id:cc:to:from:subject:date:user-agent
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=uB53X8NfVOcgU/1u8f7B1T9n/HDCJATuCsWMqfxTUps=;
        b=3i28+YDjqPpydh3S12TUkt/sJMeW/5CcJmQvNpoB9Gaf3DAHtgwMV6CWoDBj3qtZWF
         2lR/vu5IBiCGsvR6LvkiGPChZ6Q9Js7dv7CxeEzp27QdwXctiRZ0on1LeO5zMdz/h89C
         a4DUFxLpZRcrzQO2NDv2mL4L7NF2tTcWDWqrwyGxnCdLpUNbRC/5Qm9Fr/bNf3niryy3
         R8zGbN/F0TrotDKXG8PrK9Odh2ZyOwFyIy0WXVwarXV3JnNKzKU+qD4vdMg764j4uXZl
         +9zgtW4Xiw3Dbe/tdYiW/D+DmC0GAzMSaLFcI62up2taEmrhfquKcQmoxvUbtOFrRnV1
         KUcA==
X-Gm-Message-State: AFqh2krJ4sTYTsgCzAlRmDkc+PDc2GpdaG3EskqjHQ7iVFeAeDtxQM/3
        BvZVgP6dUAE40jhRjhOXWu4=
X-Received: by 2002:a17:902:c408:b0:194:6afa:ca with SMTP id k8-20020a170902c40800b001946afa00camr14122117plk.56.1674103769118;
        Wed, 18 Jan 2023 20:49:29 -0800 (PST)
Received: from [192.168.0.102] ([1.189.141.197])
        by smtp.gmail.com with ESMTPSA id q10-20020a170902e30a00b00192a04bc620sm23972741plc.295.2023.01.18.20.49.26
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 18 Jan 2023 20:49:28 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.69.23010700
Date:   Thu, 19 Jan 2023 12:49:23 +0800
Subject: Re: [PATCH] media:cec:fix double free and uaf issue when cancel data
 during noblocking
From:   Xinghui Li <korantwork@gmail.com>
To:     Hans Verkuil <hverkuil-cisco@xs4all.nl>, <mchehab@kernel.org>
CC:     <linux-kernel@vger.kernel.org>, <linux-media@vger.kernel.org>,
        Xinghui Li <korantli@tencent.com>, loydlv <loydlv@tencent.com>
Message-ID: <4D54942F-92F0-429D-9F54-3D8F7705D576@gmail.com>
Thread-Topic: [PATCH] media:cec:fix double free and uaf issue when cancel data
 during noblocking
References: <20230111123712.160882-1-korantwork@gmail.com>
 <b1a8593b-b4f3-b943-39db-ed17679e32cb@xs4all.nl>
In-Reply-To: <b1a8593b-b4f3-b943-39db-ed17679e32cb@xs4all.nl>
Mime-version: 1.0
Content-type: text/plain;
        charset="UTF-8"
Content-transfer-encoding: quoted-printable
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,MIME_QP_LONG_LINE,
        RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

=E5=9C=A8 2023/1/18 18:18=EF=BC=8C=E2=80=9CHans Verkuil=E2=80=9D<hverkuil-cisco@xs4all.nl <mailto:h=
verkuil-cisco@xs4all.nl>> =E5=86=99=E5=85=A5:

>...while this free is called if data->blocking is true. (see the 'if (!blo=
ck) return 0;'
>further up).
Do you mean this code?

	/* All done if we don't need to block waiting for completion */
	if (!block)
		return 0;
I notice this part code. But I'm not sure if 'block' will be modified in ot=
her sync operations.=20
So I sent this patch for community to review.

>So I have my doubts if this patch actually addresses the correct issue.
>Do you have an actual debug trace of the UAF? Or even better, code to repr=
oduce
>this issue.

And we found this issue by the code scanning tool developed by loydlv and f=
iltered from 200 issue by human.
So it could be the none-issue. If so, I hope I didn't waste too much of you=
r time. __