Re: [PATCH AUTOSEL 4.4 11/29] media: m920x: don't use stack on USB reads

linux-media.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pavel Machek <pavel@denx.de>
To: Sasha Levin <sashal@kernel.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
	Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
	rkardell@mida.se, mchehab@kernel.org,
	linux-media@vger.kernel.org
Subject: Re: [PATCH AUTOSEL 4.4 11/29] media: m920x: don't use stack on USB reads
Date: Thu, 20 Jan 2022 11:26:01 +0100	[thread overview]
Message-ID: <20220120102601.GB14998@amd> (raw)
In-Reply-To: <20220118030822.1955469-11-sashal@kernel.org>

[-- Attachment #1: Type: text/plain, Size: 2904 bytes --]

Hi!

> From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
> 
> [ Upstream commit a2ab06d7c4d6bfd0b545a768247a70463e977e27 ]
> 
> Using stack-allocated pointers for USB message data don't work.
> This driver is almost OK with that, except for the I2C read
> logic.
> 
> Fix it by using a temporary read buffer, just like on all other
> calls to m920x_read().

This introduces memory leak... and I don't believe it really fixes the
problem.

> index eafc5c82467f4..5b806779e2106 100644
> --- a/drivers/media/usb/dvb-usb/m920x.c
> +++ b/drivers/media/usb/dvb-usb/m920x.c
> @@ -284,6 +284,13 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu
>  			/* Should check for ack here, if we knew how. */
>  		}
>  		if (msg[i].flags & I2C_M_RD) {
> +			char *read = kmalloc(1, GFP_KERNEL);
> +			if (!read) {
> +				ret = -ENOMEM;
> +				kfree(read);
> +				goto unlock;
> +			}

kfree(NULL);

>  			for (j = 0; j < msg[i].len; j++) {
>  				/* Last byte of transaction?
>  				 * Send STOP, otherwise send ACK. */
> @@ -291,9 +298,12 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu
>  
>  				if ((ret = m920x_read(d->udev, M9206_I2C, 0x0,
>  						      0x20 | stop,
> -						      &msg[i].buf[j], 1)) != 0)
> +						      read, 1)) != 0)
>  					goto unlock;

Memory leak of read.

> +				msg[i].buf[j] = read[0];
>  			}
> +
> +			kfree(read);
>  		} else {
>  			for (j = 0; j < msg[i].len; j++) {
>  				/* Last byte of transaction? Then send STOP. */

But more importantly, do we have exact copy of the read problem just
below, during write?

Best regards,
								Pavel

diff --git a/drivers/media/usb/dvb-usb/m920x.c b/drivers/media/usb/dvb-usb/m920x.c
index 691e05833db1..e5ee54324a28 100644
--- a/drivers/media/usb/dvb-usb/m920x.c
+++ b/drivers/media/usb/dvb-usb/m920x.c
@@ -250,7 +250,7 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu
 {
 	struct dvb_usb_device *d = i2c_get_adapdata(adap);
 	int i, j;
-	int ret = 0;
+	int ret;
 
 	if (mutex_lock_interruptible(&d->i2c_mutex) < 0)
 		return -EAGAIN;
@@ -277,7 +277,6 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu
 			char *read = kmalloc(1, GFP_KERNEL);
 			if (!read) {
 				ret = -ENOMEM;
-				kfree(read);
 				goto unlock;
 			}
 
@@ -288,8 +287,10 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu
 
 				if ((ret = m920x_read(d->udev, M9206_I2C, 0x0,
 						      0x20 | stop,
-						      read, 1)) != 0)
+						      read, 1)) != 0) {
+					kfree(read);
 					goto unlock;
+				}
 				msg[i].buf[j] = read[0];
 			}
 


-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

next prev parent reply	other threads:[~2022-01-20 10:26 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20220118030822.1955469-1-sashal@kernel.org>
2022-01-18  3:07 ` [PATCH AUTOSEL 4.4 05/29] media: b2c2: Add missing check in flexcop_pci_isr: Sasha Levin
2022-01-18  3:08 ` [PATCH AUTOSEL 4.4 10/29] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18  3:08 ` [PATCH AUTOSEL 4.4 11/29] media: m920x: don't use stack on USB reads Sasha Levin
2022-01-20 10:26   ` Pavel Machek [this message]
2022-01-18  3:08 ` [PATCH AUTOSEL 4.4 15/29] media: igorplugusb: receiver overflow should be reported Sasha Levin
2022-01-18  3:08 ` [PATCH AUTOSEL 4.4 16/29] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:691e05833db dfblob:e5ee54324a2 )
 OR (
bs:"Re: [PATCH AUTOSEL 4.4 11/29] media: m920x: don't use stack on USB reads" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220120102601.GB14998@amd \
    --to=pavel@denx.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab+huawei@kernel.org \
    --cc=mchehab@kernel.org \
    --cc=rkardell@mida.se \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).