From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.1 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E868CC4338F for ; Sun, 1 Aug 2021 14:41:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BDF7E60F48 for ; Sun, 1 Aug 2021 14:41:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231972AbhHAOmC (ORCPT ); Sun, 1 Aug 2021 10:42:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44484 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231961AbhHAOmB (ORCPT ); Sun, 1 Aug 2021 10:42:01 -0400 Received: from gofer.mess.org (gofer.mess.org [IPv6:2a02:8011:d000:212::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 00516C06175F for ; Sun, 1 Aug 2021 07:41:53 -0700 (PDT) Received: by gofer.mess.org (Postfix, from userid 1000) id 67BD5C636F; Sun, 1 Aug 2021 15:41:50 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mess.org; s=2020; t=1627828910; bh=m7ZlxCJqizc2sVd5PaLC0jlI6IySpBaTvoyJ5LCgbE4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=rhn9ZiJFLBZs6GzCSD4BvqXAxTAZAGHHB+r07zPIL+AOLPT1u/yVf7gzWjZoyezuX T7ZZlUSpygJWuRvQkKCz9g1SLlAgz5Z+uao5HgcSl0ZmGXzDGKS1YRJZLj3tmORb0N N4Z3+P0xqVY2QLsve7lJlM4D9CDjndPGixPvxbvHpo5Q2F4I23DJ1I+KaL+Z3BbkwW XOySSZcgG4Cvg8VpsOLin9H7U2pdVimfd3kH0X6Nob3g+McVzK8z9kdGHtsVSRW4/J g0dBmswqoTAtMambEejPWEyCjEZplEgJYEyerbOWYPOnN/paMPcvUi0qqgqtPW0F4+ t8S2nmk0jPuIg== Date: Sun, 1 Aug 2021 15:41:50 +0100 From: Sean Young To: nil Yi Cc: crope@iki.fi, linux-media@vger.kernel.org Subject: Re: [BUG]: drivers: media: dvb-frontends: rtl2832_sdr.c: a dangling pointer may cause double free Message-ID: <20210801144150.GA17214@gofer.mess.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org Hi, On Sun, Aug 01, 2021 at 03:08:16PM +0800, nil Yi wrote: > Hi, > I found there is a dangling pointer in rtl2832_sdr_alloc_urbs which > may cause double free in v5.14-rc3 > > in rtl2832_sdr_alloc_urbs: > > 379: for (j = 0; j < i; j++) > 380: usb_free_urb(dev->urb_list[j]); > it frees all the urbs but forgets to set the dev->urbs_initialized to > zero, which will be used in function rtl2832_sdr_free_urbs: > > 357: for (i = dev->urbs_initialized - 1; i >= 0; i--) { > 358: if (dev->urb_list[i]) { > 359: dev_dbg(&pdev->dev, "free urb=%d\n", i); > 360: /* free the URBs */ > 361: usb_free_urb(dev->urb_list[i]); > 362: } > 363: } > 364: dev->urbs_initialized = 0; > > > I'm not sure whether this double free would be triggered or not, > similar issue happened in commit b7f870510384 free if usb disconnect while streaming> > > Any feedback would be appreciated, thanks :) I am not quite sure how this bug could be triggered, since this would involve rtl2832_sdr_start_streaming() being called and then failing, and then rtl2832_sdr_stop_streaming() being called even though start failed (I don't think that happens). Note that the code around this is pretty ugly; it might be nicer to remove urbs_initialized and simply rely on the fact the the urb_list[i] entry is non-null if it needs to be freed. That would be a great patch. :-) For discussion it is best if you post a patch and then we can discuss the patch itself rather than "is there a possible way this could go wrong". Sean