From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Yavuz, Tuba" <tuba@ece.ufl.edu>,
Oliver Neukum <oneukum@suse.com>,
Hans Verkuil <hans.verkuil@cisco.com>,
Mauro Carvalho Chehab <mchehab@s-opensource.com>
Subject: [PATCH 4.16 08/31] media: usbtv: prevent double free in error case
Date: Fri, 6 Apr 2018 15:24:33 +0200 [thread overview]
Message-ID: <20180406084342.178292706@linuxfoundation.org> (raw)
In-Reply-To: <20180406084340.999820380@linuxfoundation.org>
4.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 50e7044535537b2a54c7ab798cd34c7f6d900bd2 upstream.
Quoting the original report:
It looks like there is a double-free vulnerability in Linux usbtv driver
on an error path of usbtv_probe function. When audio registration fails,
usbtv_video_free function ends up freeing usbtv data structure, which
gets freed the second time under usbtv_video_fail label.
usbtv_audio_fail:
usbtv_video_free(usbtv); =>
v4l2_device_put(&usbtv->v4l2_dev);
=> v4l2_device_put
=> kref_put
=> v4l2_device_release
=> usbtv_release (CALLBACK)
=> kfree(usbtv) (1st time)
usbtv_video_fail:
usb_set_intfdata(intf, NULL);
usb_put_dev(usbtv->udev);
kfree(usbtv); (2nd time)
So, as we have refcounting, use it
Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/usbtv/usbtv-core.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/usb/usbtv/usbtv-core.c
+++ b/drivers/media/usb/usbtv/usbtv-core.c
@@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interf
return 0;
usbtv_audio_fail:
+ /* we must not free at this point */
+ usb_get_dev(usbtv->udev);
usbtv_video_free(usbtv);
usbtv_video_fail:
next prev parent reply other threads:[~2018-04-06 13:45 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-06 13:24 [PATCH 4.16 00/31] 4.16.1-stable review Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 01/31] bitmap: fix memset optimization on big-endian systems Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 02/31] USB: serial: ftdi_sio: add RT Systems VX-8 cable Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 03/31] USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 04/31] USB: serial: cp210x: add ELDAT Easywave RX09 id Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 05/31] serial: 8250: Add Nuvoton NPCM UART Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 06/31] mei: remove dev_err message on an unsupported ioctl Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 07/31] /dev/mem: Avoid overwriting "err" in read_mem() Greg Kroah-Hartman
2018-04-06 13:24 ` Greg Kroah-Hartman [this message]
2018-04-06 13:24 ` [PATCH 4.16 09/31] parport_pc: Add support for WCH CH382L PCI-E single parallel port card Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 10/31] crypto: lrw - Free rctx->ext with kzfree Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 11/31] crypto: ccp - Fill the result buffer only on digest, finup, and final ops Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 12/31] crypto: talitos - dont persistently map req_ctx->hw_context and req_ctx->buf Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 13/31] crypto: inside-secure - fix clock management Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 14/31] crypto: testmgr - Fix incorrect values in PKCS#1 test vector Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 15/31] crypto: talitos - fix IPsec cipher in length Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 16/31] crypto: ahash - Fix early termination in hash walk Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 17/31] crypto: caam - Fix null dereference at error path Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 18/31] crypto: ccp - return an actual key size from RSA max_size callback Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 19/31] crypto: arm,arm64 - Fix random regeneration of S_shipped Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 20/31] crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 21/31] Bluetooth: hci_bcm: Add 6 new ACPI HIDs Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 22/31] Btrfs: fix unexpected cow in run_delalloc_nocow Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 23/31] siox: fix possible buffer overflow in device_add_store Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 24/31] staging: comedi: ni_mio_common: ack ai fifo error interrupts Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 25/31] Revert "base: arch_topology: fix section mismatch build warnings" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 26/31] Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370 Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 27/31] Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 28/31] Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 29/31] vt: change SGR 21 to follow the standards Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 30/31] Fix slab name "biovec-(1<<(21-12))" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.16 31/31] signal: Correct the offset of si_pkey and si_lower in struct siginfo on m68k Greg Kroah-Hartman
2018-04-06 18:42 ` [PATCH 4.16 00/31] 4.16.1-stable review kernelci.org bot
2018-04-06 22:07 ` Shuah Khan
2018-04-07 6:09 ` Greg Kroah-Hartman
2018-04-07 8:01 ` Naresh Kamboju
2018-04-07 12:28 ` Greg Kroah-Hartman
2018-04-07 17:07 ` Naresh Kamboju
2018-04-07 17:54 ` Greg Kroah-Hartman
2018-04-07 21:21 ` Dan Rue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180406084342.178292706@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hans.verkuil@cisco.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab@s-opensource.com \
--cc=oneukum@suse.com \
--cc=stable@vger.kernel.org \
--cc=tuba@ece.ufl.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.