* [PATCH] media: media-request: Fix crash if memory allocation fails
@ 2020-06-21 11:30 Tuomas Tynkkynen
2020-06-22 9:35 ` Hans Verkuil
2020-06-25 14:54 ` Sasha Levin
0 siblings, 2 replies; 3+ messages in thread
From: Tuomas Tynkkynen @ 2020-06-21 11:30 UTC (permalink / raw)
To: mchehab
Cc: laurent.pinchart, sakari.ailus, linux-media, linux-kernel,
Tuomas Tynkkynen, stable
Syzbot reports a NULL-ptr deref in the kref_put() call:
BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline]
kref_put include/linux/kref.h:64 [inline]
media_request_put drivers/media/mc/mc-request.c:81 [inline]
media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89
__fput+0x2ed/0x750 fs/file_table.c:281
task_work_run+0x147/0x1d0 kernel/task_work.c:123
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:165 [inline]
prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196
What led to this crash was an injected memory allocation failure in
media_request_alloc():
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
should_failslab+0x5/0x20
kmem_cache_alloc_trace+0x57/0x300
? anon_inode_getfile+0xe5/0x170
media_request_alloc+0x339/0x440
media_device_request_alloc+0x94/0xc0
media_device_ioctl+0x1fb/0x330
? do_vfs_ioctl+0x6ea/0x1a00
? media_ioctl+0x101/0x120
? __media_device_usb_init+0x430/0x430
? media_poll+0x110/0x110
__se_sys_ioctl+0xf9/0x160
do_syscall_64+0xf3/0x1b0
When that allocation fails, filp->private_data is left uninitialized
which media_request_close() does not expect and crashes.
To avoid this, reorder media_request_alloc() such that
allocating the struct file happens as the last step thus
media_request_close() will no longer get called for a partially created
media request.
Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
---
drivers/media/mc/mc-request.c | 31 +++++++++++++++++--------------
1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/drivers/media/mc/mc-request.c b/drivers/media/mc/mc-request.c
index e3fca436c75b..c0782fd96c59 100644
--- a/drivers/media/mc/mc-request.c
+++ b/drivers/media/mc/mc-request.c
@@ -296,9 +296,18 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free))
return -ENOMEM;
+ if (mdev->ops->req_alloc)
+ req = mdev->ops->req_alloc(mdev);
+ else
+ req = kzalloc(sizeof(*req), GFP_KERNEL);
+ if (!req)
+ return -ENOMEM;
+
fd = get_unused_fd_flags(O_CLOEXEC);
- if (fd < 0)
- return fd;
+ if (fd < 0) {
+ ret = fd;
+ goto err_free_req;
+ }
filp = anon_inode_getfile("request", &request_fops, NULL, O_CLOEXEC);
if (IS_ERR(filp)) {
@@ -306,15 +315,6 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
goto err_put_fd;
}
- if (mdev->ops->req_alloc)
- req = mdev->ops->req_alloc(mdev);
- else
- req = kzalloc(sizeof(*req), GFP_KERNEL);
- if (!req) {
- ret = -ENOMEM;
- goto err_fput;
- }
-
filp->private_data = req;
req->mdev = mdev;
req->state = MEDIA_REQUEST_STATE_IDLE;
@@ -336,12 +336,15 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
return 0;
-err_fput:
- fput(filp);
-
err_put_fd:
put_unused_fd(fd);
+err_free_req:
+ if (mdev->ops->req_free)
+ mdev->ops->req_free(req);
+ else
+ kfree(req);
+
return ret;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] media: media-request: Fix crash if memory allocation fails
2020-06-21 11:30 [PATCH] media: media-request: Fix crash if memory allocation fails Tuomas Tynkkynen
@ 2020-06-22 9:35 ` Hans Verkuil
2020-06-25 14:54 ` Sasha Levin
1 sibling, 0 replies; 3+ messages in thread
From: Hans Verkuil @ 2020-06-22 9:35 UTC (permalink / raw)
To: Tuomas Tynkkynen, mchehab
Cc: laurent.pinchart, sakari.ailus, linux-media, linux-kernel, stable
On 21/06/2020 13:30, Tuomas Tynkkynen wrote:
> Syzbot reports a NULL-ptr deref in the kref_put() call:
>
> BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline]
> kref_put include/linux/kref.h:64 [inline]
> media_request_put drivers/media/mc/mc-request.c:81 [inline]
> media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89
> __fput+0x2ed/0x750 fs/file_table.c:281
> task_work_run+0x147/0x1d0 kernel/task_work.c:123
> tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> exit_to_usermode_loop arch/x86/entry/common.c:165 [inline]
> prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196
>
> What led to this crash was an injected memory allocation failure in
> media_request_alloc():
>
> FAULT_INJECTION: forcing a failure.
> name failslab, interval 1, probability 0, space 0, times 0
> should_failslab+0x5/0x20
> kmem_cache_alloc_trace+0x57/0x300
> ? anon_inode_getfile+0xe5/0x170
> media_request_alloc+0x339/0x440
> media_device_request_alloc+0x94/0xc0
> media_device_ioctl+0x1fb/0x330
> ? do_vfs_ioctl+0x6ea/0x1a00
> ? media_ioctl+0x101/0x120
> ? __media_device_usb_init+0x430/0x430
> ? media_poll+0x110/0x110
> __se_sys_ioctl+0xf9/0x160
> do_syscall_64+0xf3/0x1b0
>
> When that allocation fails, filp->private_data is left uninitialized
> which media_request_close() does not expect and crashes.
>
> To avoid this, reorder media_request_alloc() such that
> allocating the struct file happens as the last step thus
> media_request_close() will no longer get called for a partially created
> media request.
>
> Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com
> Cc: stable@vger.kernel.org
> Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Thanks!
Hans
> ---
> drivers/media/mc/mc-request.c | 31 +++++++++++++++++--------------
> 1 file changed, 17 insertions(+), 14 deletions(-)
>
> diff --git a/drivers/media/mc/mc-request.c b/drivers/media/mc/mc-request.c
> index e3fca436c75b..c0782fd96c59 100644
> --- a/drivers/media/mc/mc-request.c
> +++ b/drivers/media/mc/mc-request.c
> @@ -296,9 +296,18 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
> if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free))
> return -ENOMEM;
>
> + if (mdev->ops->req_alloc)
> + req = mdev->ops->req_alloc(mdev);
> + else
> + req = kzalloc(sizeof(*req), GFP_KERNEL);
> + if (!req)
> + return -ENOMEM;
> +
> fd = get_unused_fd_flags(O_CLOEXEC);
> - if (fd < 0)
> - return fd;
> + if (fd < 0) {
> + ret = fd;
> + goto err_free_req;
> + }
>
> filp = anon_inode_getfile("request", &request_fops, NULL, O_CLOEXEC);
> if (IS_ERR(filp)) {
> @@ -306,15 +315,6 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
> goto err_put_fd;
> }
>
> - if (mdev->ops->req_alloc)
> - req = mdev->ops->req_alloc(mdev);
> - else
> - req = kzalloc(sizeof(*req), GFP_KERNEL);
> - if (!req) {
> - ret = -ENOMEM;
> - goto err_fput;
> - }
> -
> filp->private_data = req;
> req->mdev = mdev;
> req->state = MEDIA_REQUEST_STATE_IDLE;
> @@ -336,12 +336,15 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
>
> return 0;
>
> -err_fput:
> - fput(filp);
> -
> err_put_fd:
> put_unused_fd(fd);
>
> +err_free_req:
> + if (mdev->ops->req_free)
> + mdev->ops->req_free(req);
> + else
> + kfree(req);
> +
> return ret;
> }
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] media: media-request: Fix crash if memory allocation fails
2020-06-21 11:30 [PATCH] media: media-request: Fix crash if memory allocation fails Tuomas Tynkkynen
2020-06-22 9:35 ` Hans Verkuil
@ 2020-06-25 14:54 ` Sasha Levin
1 sibling, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2020-06-25 14:54 UTC (permalink / raw)
To: Sasha Levin, Tuomas Tynkkynen, mchehab
Cc: laurent.pinchart, sakari.ailus, stable, stable
Hi
[This is an automated email]
This commit has been processed because it contains a -stable tag.
The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v5.7.5, v5.4.48, v4.19.129, v4.14.185, v4.9.228, v4.4.228.
v5.7.5: Build OK!
v5.4.48: Build OK!
v4.19.129: Failed to apply! Possible dependencies:
10905d70d7884 ("media: media-request: implement media requests")
v4.14.185: Failed to apply! Possible dependencies:
10905d70d7884 ("media: media-request: implement media requests")
v4.9.228: Failed to apply! Possible dependencies:
10905d70d7884 ("media: media-request: implement media requests")
v4.4.228: Failed to apply! Possible dependencies:
0e576b76f5470 ("[media] media-entity.h: rename entity.type to entity.function")
10905d70d7884 ("media: media-request: implement media requests")
32fdc0e1a87c1 ("[media] uapi/media.h: Fix entity namespace")
8211b187ec646 ("[media] dvbdev: add support for interfaces")
8309f47c32c04 ("[media] media-device: add support for MEDIA_IOC_G_TOPOLOGY ioctl")
8df00a15817e3 ("[media] media: rename the function that create pad links")
bb07bd6b68511 ("[media] allow overriding the driver name")
bcd5081b05367 ("[media] media: Refactor copying IOCTL arguments from and to user space")
bed6919665072 ("[media] au0828: Add support for media controller")
df2f94e563edc ("[media] dvb: modify core to implement interfaces/entities at MC new gen")
df9ecb0cad14b ("[media] vb2: drop v4l2_format argument from queue_setup")
fa762394fd85c ("[media] media: create a macro to get entity ID")
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
--
Thanks
Sasha
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-25 14:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-06-21 11:30 [PATCH] media: media-request: Fix crash if memory allocation fails Tuomas Tynkkynen
2020-06-22 9:35 ` Hans Verkuil
2020-06-25 14:54 ` Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).