Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp3115653rwd; Mon, 22 May 2023 08:52:37 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6AsT0Y3tWMSnwOmVhJOEklqCH8umif1GLbekuSXxwfvkf0zKarYeCFy1kd44if0jb5TcTA X-Received: by 2002:a17:90b:4015:b0:255:616e:6f8b with SMTP id ie21-20020a17090b401500b00255616e6f8bmr3592858pjb.3.1684770757006; Mon, 22 May 2023 08:52:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684770756; cv=none; d=google.com; s=arc-20160816; b=W5ydV/75b6PQBRQIdpY5QCvG9SWVLbmVvuxxnAH11r4QbO8DHOayiiWi8qf/Ddk6F/ f/92tFBoSR9V+dILktueD7HOzMVDHg7vprAzGjcjca37cE5J1mGIVWPvlNN3qo6z/2F2 6gOEOZDjH53QC47KC+qDH6RFClR0LA0RPX9ODUwRMQ903KgcDlQEZA4vtrv9yWi16ivE 9AnoaH41t5iXyQlXn7nag5sw2iOaIngn4BGBFM6zIYHYQPqDYZGX1r3tCAtnxWXzoWVt vVpmXaqqV6JJFB0QPwUZXIHL/vC6C2J868oNzGkCUzMyrM5JVJZMn1muor4sfPSVbneb XhUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=iEa6ByHMD623qHdjGarG7iVgdLGI+kaMd16hqcmW7QI=; b=ndcoHIDlKonzxLnBF2syrX4TEBcAmt2w1tpxbSymhUOcFzej2OF5RJ7r6Nz7DvDLpd JXI17At6D0GtK9ZhHYunqdCef47qRZLz6IkCKMT01nu8FzJiqOgzqEy13q6QiVzycfUs 9ObmUfjPUpLtT4ELVbQAk85DK7sOmIUE/ydk0pJA878cXEAzKMnErY7vyqQeVOlGFSkS lbFG8KfuT9NJnQsbiSpvy1aqLQKg3Ea8kpqg2iOVZCMjgyZbxpCkwauBZoFPtJ4kHH9t eTeI1GJTfyvN9qmPuS9GbLx8Mg8IXFeC5F3yumauxJg+kn0a+tEPZhEdrnwFO9zszYIA guiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=sRqxQ2+Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id em9-20020a17090b014900b00252df576596si74517pjb.13.2023.05.22.08.52.23; Mon, 22 May 2023 08:52:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=sRqxQ2+Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233803AbjEVPgV (ORCPT + 99 others); Mon, 22 May 2023 11:36:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36700 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233727AbjEVPgT (ORCPT ); Mon, 22 May 2023 11:36:19 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B5848E6; Mon, 22 May 2023 08:36:17 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id EF42821DBE; Mon, 22 May 2023 15:36:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1684769775; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=iEa6ByHMD623qHdjGarG7iVgdLGI+kaMd16hqcmW7QI=; b=sRqxQ2+YaLANOe2qUgIzs3LqzgEyl/OocAWmOohRcyCEWjY1yVOtkolXxoxEx1F6afx7Wu v7TI1WctNtjMWYldDK8y9Yvp0n/6LyLuQeen1xLN2x1Hy84ddvbrLnynfPD+QknmO9qNH7 C9ljZlAZPmj+ZDcOt7GCmtbwmivjT5o= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id C35A113776; Mon, 22 May 2023 15:36:15 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id sT7jLu+La2RtRgAAMHmgww (envelope-from ); Mon, 22 May 2023 15:36:15 +0000 Date: Mon, 22 May 2023 17:36:14 +0200 From: Michal =?utf-8?Q?Koutn=C3=BD?= To: Zheng Wang Cc: deller@gmx.de, alex000young@gmail.com, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, hackerzheng666@gmail.com, dri-devel@lists.freedesktop.org, javierm@redhat.com, 1395428693sheep@gmail.com, tzimmermann@suse.de Subject: Re: [PATCH v2] video: imsttfb: Fix use after free bug in imsttfb_probe due to lack of error-handling of init_imstt Message-ID: <34gbv2k3lc5dl4nbivslizfuor6qc34j63idiiuc35qkk3iohs@7bshmqu2ue7a> References: <20230427030841.2384157-1-zyytlz.wz@163.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rze7mjqamibzdgst" Content-Disposition: inline In-Reply-To: <20230427030841.2384157-1-zyytlz.wz@163.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --rze7mjqamibzdgst Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello. On Thu, Apr 27, 2023 at 11:08:41AM +0800, Zheng Wang wr= ote: > static int imsttfb_probe(struct pci_dev *pdev, const struct pci_device_i= d *ent) > @@ -1529,10 +1530,10 @@ static int imsttfb_probe(struct pci_dev *pdev, co= nst struct pci_device_id *ent) > if (!par->cmap_regs) > goto error; > info->pseudo_palette =3D par->palette; > - init_imstt(info); > - > - pci_set_drvdata(pdev, info); > - return 0; > + ret =3D init_imstt(info); > + if (!ret) > + pci_set_drvdata(pdev, info); > + return ret; > =20 > error: > if (par->dc_regs) This part caught my eye -- shouldn't the -ENODEV from init_imstt go through the standard error with proper cleanup? (It seems like a leak =66rom my 30000 ft view, i.e. not sure about imsttfb_{probe,remove} pairing.) Shouldn't there be something like the diff below on top of the existing cod= e? Regards, Michal diff --git a/drivers/video/fbdev/imsttfb.c b/drivers/video/fbdev/imsttfb.c index 975dd682fae4..a116ac8ca020 100644 --- a/drivers/video/fbdev/imsttfb.c +++ b/drivers/video/fbdev/imsttfb.c @@ -1419,7 +1419,6 @@ static int init_imstt(struct fb_info *info) if ((info->var.xres * info->var.yres) * (info->var.bits_per_pixel >> 3) >= info->fix.smem_len || !(compute_imstt_regvals(par, info->var.xres, info->var.yres))) { printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->var.yr= es, info->var.bits_per_pixel); - framebuffer_release(info); return -ENODEV; } =20 @@ -1455,7 +1454,6 @@ static int init_imstt(struct fb_info *info) fb_alloc_cmap(&info->cmap, 0, 0); =20 if (register_framebuffer(info) < 0) { - framebuffer_release(info); return -ENODEV; } =20 @@ -1531,8 +1529,10 @@ static int imsttfb_probe(struct pci_dev *pdev, const= struct pci_device_id *ent) goto error; info->pseudo_palette =3D par->palette; ret =3D init_imstt(info); - if (!ret) - pci_set_drvdata(pdev, info); + if (ret) + goto error; + + pci_set_drvdata(pdev, info); return ret; =20 error: --rze7mjqamibzdgst Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQTrXXag4J0QvXXBmkMkDQmsBEOquQUCZGuL6wAKCRAkDQmsBEOq ucOZAP9eACOa+x8XFhfGm7icBBpVmtJLnxaAuj4pG874Tqf53wEAwyYW+IG7SR3D bfpnLJNb4kEm101zRkgWoaGv6mH4iw0= =Tk4a -----END PGP SIGNATURE----- --rze7mjqamibzdgst--