Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp3278560rwd; Mon, 22 May 2023 11:08:40 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6cx67ucmGwiicc3HqmQca2HpR7QZM0ZVF40OtVVUxtR2iwZD62OIh6ZioWyhWqmjePLLG8 X-Received: by 2002:a05:6a20:7d83:b0:104:8045:c971 with SMTP id v3-20020a056a207d8300b001048045c971mr14472274pzj.58.1684778920480; Mon, 22 May 2023 11:08:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684778920; cv=none; d=google.com; s=arc-20160816; b=EaBkYmnpvgRfV7IsQWZZXiawkO1Mxf7cLeUFJ6MWz6kg1wKx5FGmqmeAzP6lXgLeNb 9BAenwih3kCMUF/q6/cf4blBzbs8wV0P/WEqsf3YhtrBYT3a/tJJjvXDzqPq+DviplyH nnH5a+CQF90PYzly7IskwJm8gqNk7hOk74NwUdZDCBNyBcKe8fpd3w9cK/lsGvs02N8O 3xTMLLyWCpCjYx26eU1Pd+kXV4Xlv+yiwrp4li1LtTALUNi0mEtAqxSebVpzZGk2kn/3 owzEMHRakp5/6ysPSm/TLLSzt7s55r6gONyKgPZgwaGeP0r7+Rn/K2Uof5Gg7HM3VIys TWYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:ui-outboundreport:content-transfer-encoding :in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:dkim-signature; bh=fHtdIhjzACP6SGVIEf0mnGkP2LKh1C/xZaTWSIbihsU=; b=mOxYMxlWls3iPUQ65S9TA2Q1/eQN9eqiqKIm1QFl02EPwc5X0dt7ubBdxj5c5EuCPW rBFFxt5P/W9mdLEb00SWLvw9kbMbaoBrIOljv8np2yA1zjweGATULO2qCCjkUU9DRBBk +ifY0C3lP8Ch3j0dDUsysYJ9wGOWZiF81aWMIdA4L/azD7ylOqo+MYClJjogoBCqkSxm BvP4GWHXO9GlPEZOqXEMIeij1FYXzgdNDR7JpgJiUe+gk96w7iinh2P3Saylpqe76Lm0 NvCVDtAuHxf5GWsm8s/01Fg4c012NWKzqug7EnUhKh+8vLXqTpcfWMCXIR0VLIu9DTpl 2yWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmx.de header.s=s31663417 header.b=DWELf+f1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmx.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z1-20020aa79481000000b0064d72c6eab8si1694001pfk.270.2023.05.22.11.08.26; Mon, 22 May 2023 11:08:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.de header.s=s31663417 header.b=DWELf+f1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmx.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233151AbjEVSCs (ORCPT + 99 others); Mon, 22 May 2023 14:02:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58778 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233336AbjEVSCo (ORCPT ); Mon, 22 May 2023 14:02:44 -0400 Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8836C115; Mon, 22 May 2023 11:02:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1684778548; i=deller@gmx.de; bh=XYc624rp14uGmFw7V+RpipNyamXCae8xWBesq8Wzch0=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=DWELf+f1QYUtiGgVl5LdIGZNeQtZw/3/B/ta4721hkXhpkgxodim8XgtQu7P4omRO iVyF1ZAfkgQ2walLIawUlQao+VouRtOkfXNqtP3Mx4wKjdM7JpU4VPfuAlayiEe6Cz TFGdsYLaRnW0Pwqo0QShTphJutAYcVh02ZtWfoma4SpBCa261bC0SQadFQQxk8/4Ur YKij4AdNhChzXXZ7ZzUinkDTe1dTrt/5pG2QGwD4t3jhDZ2P/8kExrIte9Kb/JrSRU oEjtkKGMqaTN4Qb0nnITvW1pmGlro6zoYyHqrkpQ+7rmIyF73N0HKlxO5EhcdBjAoB iLLHhvNUYtKhA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.20.60] ([94.134.144.112]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MwQXH-1qJVj72W5V-00sJVb; Mon, 22 May 2023 20:02:28 +0200 Message-ID: <069f2f78-01f3-9476-d860-2b695c122649@gmx.de> Date: Mon, 22 May 2023 20:02:27 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCH v2] video: imsttfb: Fix use after free bug in imsttfb_probe due to lack of error-handling of init_imstt Content-Language: en-US To: =?UTF-8?Q?Michal_Koutn=c3=bd?= , Zheng Wang Cc: alex000young@gmail.com, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org, hackerzheng666@gmail.com, dri-devel@lists.freedesktop.org, javierm@redhat.com, 1395428693sheep@gmail.com, tzimmermann@suse.de References: <20230427030841.2384157-1-zyytlz.wz@163.com> <34gbv2k3lc5dl4nbivslizfuor6qc34j63idiiuc35qkk3iohs@7bshmqu2ue7a> From: Helge Deller In-Reply-To: <34gbv2k3lc5dl4nbivslizfuor6qc34j63idiiuc35qkk3iohs@7bshmqu2ue7a> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:PfUYXpvWMuOOsXD6z6hDlW4zxrijkqWNQR241XhkbgwSYYR5Exs vrMLbqYn9c07gDe+BfLpK2gCSZS7DmcraMknMA/rUrhNqJtJN2o1tWSIdTXmMqdtye1G7B7 cSuZie+oPXJKuG1OJTM8gF4898l9XlKuOme30KDYWJU//wQItJGL7P3mKmVLJ8TaTQOmduF 0F9E2t038ndH4jxFPkLeg== UI-OutboundReport: notjunk:1;M01:P0:u/iktjswmR0=;QcgsMcSYN+1sr1fnL/z4Bk3Ctn5 9f9SghE3HCO1+MHOIOchWMM4GzgxwChhr0Drb3ZsSMP0Ker/pbbSSXiIkTrFDumbYXegUcOW1 J46ZMmEzpo0Z1UBqtDGvs3iy7y6XfLZNq4IeIl5WNLh+R83gdMGmCYcLEng5ixVSxukwv2FFQ VCsbf/O430+FerLasWH0a+O3ufcBF7DvhMMrSAxg75J9izRDV54DZf6AJ05aDOakd5aBspkWb sVDEYNZQUTkkOz/EyP/Gdk9Casuws2/LpOYfWyrwADGSwYnNP6wuqgOsVQv/Hk3BIXnPP7EtN i0c1QWm/tSlRSzv1ZfutOJ7PfhxFH9C9uojSM2xsiA1e37s3UqQXfT56zxxgK0hCB5fCLWdFV 3eDiK5oT1W3cCVQ2uSZwDVh2FHNuMj5qPeZrPFscPSFJypjfCjohoFi/FL+AlXO+3TAW7/Sri pdiZa+h+Q24UTBmW/3KmZ/S3NhOcdWpcZT/Zx9RFj5RXkmLQOIRWknlj14C3POpRftz0rQ1Kc s9XeBdsLQVmxTNOSU/Ash1t17GhucMmpMm4HUI4mOONAU3CaMRWw3f3ScOYfexojrPg2C/SZ3 SQS838AT8msUxN+Y3JCtz6vr3rESONTp0PpPfa0HgHF5Ne3DUE2UQkXFOrvB1a+o6DQPQFc47 PU3PhMh60ygwDe5OB118et7FKXZb+/UDIsVjiJnEYDeK9uWiQpoiu5sO5k6eJWY7iMs36OJFH t59wldh+YPiV9FSzXtQMklufhpOxh5RsYVA2CjEy/0PDqpS5kAMFEyLY4CvwOBjscRAroph6i RniI9PwpC4JS8ZlmMu66ulrhAyraP1zYRCWLpnv1cfwfk8OAumJ4zPk9+ALULDohE5FbqJMTr rG0XxMu6RhxFdeNw/7YSrncx4WbjFc8HVT/msNy++JobkWKLZhWx8wbQztnqZMDhhrBfO7/XJ hdbNHA== X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Michal, On 5/22/23 17:36, Michal Koutn=C3=BD wrote: > On Thu, Apr 27, 2023 at 11:08:41AM +0800, Zheng Wang = wrote: >> static int imsttfb_probe(struct pci_dev *pdev, const struct pci_devic= e_id *ent) >> @@ -1529,10 +1530,10 @@ static int imsttfb_probe(struct pci_dev *pdev, = const struct pci_device_id *ent) >> if (!par->cmap_regs) >> goto error; >> info->pseudo_palette =3D par->palette; >> - init_imstt(info); >> - >> - pci_set_drvdata(pdev, info); >> - return 0; >> + ret =3D init_imstt(info); >> + if (!ret) >> + pci_set_drvdata(pdev, info); >> + return ret; >> >> error: >> if (par->dc_regs) > > This part caught my eye -- shouldn't the -ENODEV from init_imstt go > through the standard error with proper cleanup? (It seems like a leak > from my 30000 ft view, i.e. not sure about imsttfb_{probe,remove} > pairing.) Yes, you seem to be right. > Shouldn't there be something like the diff below on top of the existing = code? Yes, but .... > Regards, > Michal > > diff --git a/drivers/video/fbdev/imsttfb.c b/drivers/video/fbdev/imsttfb= .c > index 975dd682fae4..a116ac8ca020 100644 > --- a/drivers/video/fbdev/imsttfb.c > +++ b/drivers/video/fbdev/imsttfb.c > @@ -1419,7 +1419,6 @@ static int init_imstt(struct fb_info *info) > if ((info->var.xres * info->var.yres) * (info->var.bits_per_pixel >> = 3) > info->fix.smem_len > || !(compute_imstt_regvals(par, info->var.xres, info->var.yres)))= { > printk("imsttfb: %ux%ux%u not supported\n", info->var.xres, info->va= r.yres, info->var.bits_per_pixel); > - framebuffer_release(info); > return -ENODEV; > } > > @@ -1455,7 +1454,6 @@ static int init_imstt(struct fb_info *info) > fb_alloc_cmap(&info->cmap, 0, 0); > > if (register_framebuffer(info) < 0) { > - framebuffer_release(info); That's ^^^ ok, but I think a fb_dealloc_cmap() is missing here ... ... and in the error path of imsttfb_probe() .... > return -ENODEV; > } > > @@ -1531,8 +1529,10 @@ static int imsttfb_probe(struct pci_dev *pdev, co= nst struct pci_device_id *ent) > goto error; > info->pseudo_palette =3D par->palette; > ret =3D init_imstt(info); > - if (!ret) > - pci_set_drvdata(pdev, info); > + if (ret) > + goto error; > + > + pci_set_drvdata(pdev, info); > return ret; > > error: Would you mind sending a proper patch? Thanks for noticing! Helge