Em Wed, 17 Nov 2021 00:32:07 +0800
Dongliang Mu <mudongliangabcd@xxxxxxxxx> escreveu:
> In msi2500_probe, it invokes spi_alloc_master to allocate master
> controller and spi_register_master to register master controller.
> Then in msi2500_disconnect, it calls spi_unregister_master to unregister
> the master controller. And in spi_unregister_master, it calls put_device
> to decrease the refcount and the device object will be freed then. As a
> result, the dereference of dev->lock will cause a use-after-free bug.
>
> Fix it by changing spi_alloc_master to devm_spi_alloc_master, and
> removing spi_master_put in the error handling code.
>
> Note that this patch can prevent UAF occurring any more
>
> Fixes: fd8b5f502929 ("msi2500: move msi3101 out of staging and rename")
> Signed-off-by: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
> ---
> drivers/media/usb/msi2500/msi2500.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/media/usb/msi2500/msi2500.c b/drivers/media/usb/msi2500/msi2500.c
> index 71de6b4c4e4c..64c3ec9f1d0c 100644
> --- a/drivers/media/usb/msi2500/msi2500.c
> +++ b/drivers/media/usb/msi2500/msi2500.c
> @@ -1220,7 +1220,7 @@ static int msi2500_probe(struct usb_interface *intf,
> }
>
> /* SPI master adapter */
> - master = spi_alloc_master(dev->dev, 0);
> + master = devm_spi_alloc_master(dev->dev, 0);
We had some bad past experiences on using devm_* on USB media devices,
as there are almost always multiple drivers loaded and multiple
interfaces.
Could you please fix the free logic instead of using devm_*?
Regards,
Mauro
> if (master == NULL) {
> ret = -ENOMEM;
> goto err_unregister_v4l2_dev;
> @@ -1233,7 +1233,6 @@ static int msi2500_probe(struct usb_interface *intf,
> spi_master_set_devdata(master, dev);
> ret = spi_register_master(master);
> if (ret) {
> - spi_master_put(master);
> goto err_unregister_v4l2_dev;
> }
>
Thanks,
Mauro
