From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
linux-fbdev@vger.kernel.org,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Evgeny Novikov <novikov@ispras.ru>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
dri-devel@lists.freedesktop.org,
Mike Rapoport <rppt@linux.ibm.com>,
Jani Nikula <jani.nikula@intel.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH AUTOSEL 4.14 05/22] video: fbdev: neofb: fix memory leak in neo_scan_monitor()
Date: Mon, 10 Aug 2020 19:13:27 +0000 [thread overview]
Message-ID: <20200810191345.3795166-5-sashal@kernel.org> (raw)
In-Reply-To: <20200810191345.3795166-1-sashal@kernel.org>
From: Evgeny Novikov <novikov@ispras.ru>
[ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ]
neofb_probe() calls neo_scan_monitor() that can successfully allocate a
memory for info->monspecs.modedb and proceed to case 0x03. There it does
not free the memory and returns -1. neofb_probe() goes to label
err_scan_monitor, thus, it does not free this memory through calling
fb_destroy_modedb() as well. We can not go to label err_init_hw since
neo_scan_monitor() can fail during memory allocation. So, the patch frees
the memory directly for case 0x03.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/neofb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c
index 5d3a444083f74..2018e1ca33eb6 100644
--- a/drivers/video/fbdev/neofb.c
+++ b/drivers/video/fbdev/neofb.c
@@ -1820,6 +1820,7 @@ static int neo_scan_monitor(struct fb_info *info)
#else
printk(KERN_ERR
"neofb: Only 640x480, 800x600/480 and 1024x768 panels are currently supported\n");
+ kfree(info->monspecs.modedb);
return -1;
#endif
default:
--
2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
linux-fbdev@vger.kernel.org,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Evgeny Novikov <novikov@ispras.ru>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
dri-devel@lists.freedesktop.org,
Mike Rapoport <rppt@linux.ibm.com>,
Jani Nikula <jani.nikula@intel.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH AUTOSEL 4.14 05/22] video: fbdev: neofb: fix memory leak in neo_scan_monitor()
Date: Mon, 10 Aug 2020 15:13:27 -0400 [thread overview]
Message-ID: <20200810191345.3795166-5-sashal@kernel.org> (raw)
In-Reply-To: <20200810191345.3795166-1-sashal@kernel.org>
From: Evgeny Novikov <novikov@ispras.ru>
[ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ]
neofb_probe() calls neo_scan_monitor() that can successfully allocate a
memory for info->monspecs.modedb and proceed to case 0x03. There it does
not free the memory and returns -1. neofb_probe() goes to label
err_scan_monitor, thus, it does not free this memory through calling
fb_destroy_modedb() as well. We can not go to label err_init_hw since
neo_scan_monitor() can fail during memory allocation. So, the patch frees
the memory directly for case 0x03.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/neofb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c
index 5d3a444083f74..2018e1ca33eb6 100644
--- a/drivers/video/fbdev/neofb.c
+++ b/drivers/video/fbdev/neofb.c
@@ -1820,6 +1820,7 @@ static int neo_scan_monitor(struct fb_info *info)
#else
printk(KERN_ERR
"neofb: Only 640x480, 800x600/480 and 1024x768 panels are currently supported\n");
+ kfree(info->monspecs.modedb);
return -1;
#endif
default:
--
2.25.1
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Evgeny Novikov <novikov@ispras.ru>,
Jani Nikula <jani.nikula@intel.com>,
Mike Rapoport <rppt@linux.ibm.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
Andrew Morton <akpm@linux-foundation.org>,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>,
Sasha Levin <sashal@kernel.org>,
dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 05/22] video: fbdev: neofb: fix memory leak in neo_scan_monitor()
Date: Mon, 10 Aug 2020 15:13:27 -0400 [thread overview]
Message-ID: <20200810191345.3795166-5-sashal@kernel.org> (raw)
In-Reply-To: <20200810191345.3795166-1-sashal@kernel.org>
From: Evgeny Novikov <novikov@ispras.ru>
[ Upstream commit edcb3895a751c762a18d25c8d9846ce9759ed7e1 ]
neofb_probe() calls neo_scan_monitor() that can successfully allocate a
memory for info->monspecs.modedb and proceed to case 0x03. There it does
not free the memory and returns -1. neofb_probe() goes to label
err_scan_monitor, thus, it does not free this memory through calling
fb_destroy_modedb() as well. We can not go to label err_init_hw since
neo_scan_monitor() can fail during memory allocation. So, the patch frees
the memory directly for case 0x03.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20200630195451.18675-1-novikov@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/neofb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/video/fbdev/neofb.c b/drivers/video/fbdev/neofb.c
index 5d3a444083f74..2018e1ca33eb6 100644
--- a/drivers/video/fbdev/neofb.c
+++ b/drivers/video/fbdev/neofb.c
@@ -1820,6 +1820,7 @@ static int neo_scan_monitor(struct fb_info *info)
#else
printk(KERN_ERR
"neofb: Only 640x480, 800x600/480 and 1024x768 panels are currently supported\n");
+ kfree(info->monspecs.modedb);
return -1;
#endif
default:
--
2.25.1
next prev parent reply other threads:[~2020-08-10 19:13 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-10 19:13 [PATCH AUTOSEL 4.14 01/22] drm/tilcdc: fix leak & null ref in panel_connector_get_modes Sasha Levin
2020-08-10 19:13 ` Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 02/22] Bluetooth: add a mutex lock to avoid UAF in do_enale_set Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 03/22] fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 04/22] drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync Sasha Levin
2020-08-10 19:13 ` Sasha Levin
2020-08-10 19:13 ` Sasha Levin
2020-08-10 19:13 ` Sasha Levin [this message]
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 05/22] video: fbdev: neofb: fix memory leak in neo_scan_monitor() Sasha Levin
2020-08-10 19:13 ` Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 06/22] md-cluster: fix wild pointer of unlock_all_bitmaps() Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 07/22] arm64: dts: hisilicon: hikey: fixes to comply with adi, adv7533 DT binding Sasha Levin
2020-08-10 19:13 ` Sasha Levin
[not found] ` <20200810191345.3795166-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 08/22] drm/nouveau: fix multiple instances of reference count leaks Sasha Levin
2020-08-10 19:13 ` Sasha Levin
2020-08-10 19:13 ` Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 09/22] drm/debugfs: fix plain echo to connector "force" attribute Sasha Levin
2020-08-10 19:13 ` Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 10/22] irqchip/irq-mtk-sysirq: Replace spinlock with raw_spinlock Sasha Levin
2020-08-10 19:13 ` Sasha Levin
2020-08-10 19:13 ` Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 11/22] mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 12/22] brcmfmac: To fix Bss Info flag definition Bug Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 13/22] brcmfmac: set state of hanger slot to FREE when flushing PSQ Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 14/22] iwlegacy: Check the return value of pcie_capability_read_*() Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 15/22] gpu: host1x: debug: Fix multiple channels emitting messages simultaneously Sasha Levin
2020-08-10 19:13 ` Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 16/22] usb: gadget: net2280: fix memory leak on probe error handling paths Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 17/22] bdc: Fix bug causing crash after multiple disconnects Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 18/22] usb: bdc: Halt controller on suspend Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 19/22] dyndbg: fix a BUG_ON in ddebug_describe_flags Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 20/22] dyndbg: prefer declarative init in caller, to memset in callee Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 21/22] bcache: fix super block seq numbers comparision in register_cache_set() Sasha Levin
2020-08-10 19:13 ` [PATCH AUTOSEL 4.14 22/22] ACPICA: Do not increment operation_region reference counts for field units Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200810191345.3795166-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=b.zolnierkie@samsung.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=jani.nikula@intel.com \
--cc=linux-fbdev@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=novikov@ispras.ru \
--cc=rppt@linux.ibm.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.