Hi Linux Media Devs, This is similar to the one before. Please give reported-by credit to Reported-by: "Yavuz, Tuba" <tuba@xxxxxxxxxxx> Or maybe flip the names around? The hackrf_probe() function has a double free on error after we set up: dev->v4l2_dev.release = hackrf_video_release; then the calls to: video_unregister_device(&dev->rx_vdev); and kfree(dev); are a double free. regards, dan carpenter On Tue, Mar 20, 2018 at 01:48:17PM +0000, Yavuz, Tuba wrote: > Hello, > > > It looks like there is a double-free vulnerability on an error path in the hackrf_probe function of the hackrf driver. > > err_video_unregister_device_rx: > video_unregister_device(&dev->rx_vdev); > => > v4l2_device_disconnect > => > put_device > => > kobject_put > => > kref_put > => > v4l2_device_release > => > hackrf_video_release (CALLBACK) > => > kfree(dev) > ... > err_kfree: > kfree(dev); > > The vulnerability has been introduced with commit 8bc4a9ed85046c214458c9e82aea75d2f46cfffd, which added support for transmitter<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/media/usb/hackrf?id=8bc4a9ed85046c214458c9e82aea75d2f46cfffd>. > > > Best, > > Tuba Yavuz, Ph.D. > Assistant Professor > Electrical and Computer Engineering Department > University of Florida > Gainesville, FL 32611 > Webpage: http://www.tuba.ece.ufl.edu/ > Email: tuba@xxxxxxxxxxx > Phone: (352) 846 0202
