Re: [PATCH 6.11 066/184] media: dvbdev: prevent the risk of out of memory access

Building the Linux kernel with Clang and LLVM
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Nathan Chancellor <nathan@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>,
	stable@vger.kernel.org, patches@lists.linux.dev,
	Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
	llvm@lists.linux.dev
Subject: Re: [PATCH 6.11 066/184] media: dvbdev: prevent the risk of out of memory access
Date: Tue, 19 Nov 2024 13:03:27 +0100	[thread overview]
Message-ID: <2024111920-nimbly-dipping-4c25@gregkh> (raw)
In-Reply-To: <20241118003338.GA3311143@thelio-3990X>

On Sun, Nov 17, 2024 at 05:33:38PM -0700, Nathan Chancellor wrote:
> On Tue, Nov 12, 2024 at 11:20:24AM +0100, Greg Kroah-Hartman wrote:
> > 6.11-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
> > 
> > [ Upstream commit 972e63e895abbe8aa1ccbdbb4e6362abda7cd457 ]
> > 
> > The dvbdev contains a static variable used to store dvb minors.
> > 
> > The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set
> > or not. When not set, dvb_register_device() won't check for
> > boundaries, as it will rely that a previous call to
> > dvb_register_adapter() would already be enforcing it.
> > 
> > On a similar way, dvb_device_open() uses the assumption
> > that the register functions already did the needed checks.
> > 
> > This can be fragile if some device ends using different
> > calls. This also generate warnings on static check analysers
> > like Coverity.
> > 
> > So, add explicit guards to prevent potential risk of OOM issues.
> > 
> > Fixes: 5dd3f3071070 ("V4L/DVB (9361): Dynamic DVB minor allocation")
> > Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > ---
> >  drivers/media/dvb-core/dvbdev.c | 17 +++++++++++++++--
> >  1 file changed, 15 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
> > index b43695bc51e75..14f323fbada71 100644
> > --- a/drivers/media/dvb-core/dvbdev.c
> > +++ b/drivers/media/dvb-core/dvbdev.c
> > @@ -86,10 +86,15 @@ static DECLARE_RWSEM(minor_rwsem);
> >  static int dvb_device_open(struct inode *inode, struct file *file)
> >  {
> >  	struct dvb_device *dvbdev;
> > +	unsigned int minor = iminor(inode);
> > +
> > +	if (minor >= MAX_DVB_MINORS)
> > +		return -ENODEV;
> >  
> >  	mutex_lock(&dvbdev_mutex);
> >  	down_read(&minor_rwsem);
> > -	dvbdev = dvb_minors[iminor(inode)];
> > +
> > +	dvbdev = dvb_minors[minor];
> >  
> >  	if (dvbdev && dvbdev->fops) {
> >  		int err = 0;
> > @@ -525,7 +530,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
> >  	for (minor = 0; minor < MAX_DVB_MINORS; minor++)
> >  		if (!dvb_minors[minor])
> >  			break;
> > -	if (minor == MAX_DVB_MINORS) {
> > +	if (minor >= MAX_DVB_MINORS) {
> >  		if (new_node) {
> >  			list_del(&new_node->list_head);
> >  			kfree(dvbdevfops);
> > @@ -540,6 +545,14 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
> >  	}
> >  #else
> >  	minor = nums2minor(adap->num, type, id);
> > +	if (minor >= MAX_DVB_MINORS) {
> > +		dvb_media_device_free(dvbdev);
> > +		list_del(&dvbdev->list_head);
> > +		kfree(dvbdev);
> > +		*pdvbdev = NULL;
> > +		mutex_unlock(&dvbdev_register_lock);
> > +		return ret;
> 
> This needs commit a4aebaf6e6ef ("media: dvbdev: fix the logic when
> DVB_DYNAMIC_MINORS is not set"), otherwise there is a warning with
> certain configurations when building with clang:
> 
>   drivers/media/dvb-core/dvbdev.c:554:10: warning: variable 'ret' is uninitialized when used here [-Wuninitialized]
>     554 |                 return ret;
>         |                        ^~~
>   drivers/media/dvb-core/dvbdev.c:463:13: note: initialize the variable 'ret' to silence this warning
>     463 |         int id, ret;
>         |                    ^
>         |                     = 0
>   1 warning generated.
> 
> I was somewhat surprised when this warning showed up in my stable
> builds, until I realized that change does not have a Fixes tag like it
> really should have...

Now queued up, thanks.

greg k-h

     prev parent reply	other threads:[~2024-11-19 12:03 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20241112101900.865487674@linuxfoundation.org>
     [not found] ` <20241112101903.395286793@linuxfoundation.org>
2024-11-18  0:33   ` [PATCH 6.11 066/184] media: dvbdev: prevent the risk of out of memory access Nathan Chancellor
2024-11-19 12:03     ` Greg Kroah-Hartman [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2024111920-nimbly-dipping-4c25@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=llvm@lists.linux.dev \
    --cc=mchehab+huawei@kernel.org \
    --cc=nathan@kernel.org \
    --cc=patches@lists.linux.dev \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox