The patch titled
Fix use-after-free bug in cpia2 driver
has been added to the -mm tree. Its filename is
fix-use-after-free-bug-in-cpia2-driver.patch
See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this
------------------------------------------------------
Subject: Fix use-after-free bug in cpia2 driver
From: Jesper Juhl <jesper.juhl@xxxxxxxxx>
The coverity checker detected a use-after-free error in
drivers/media/video/cpia2/cpia2_v4l.c::cpia2_close() (coverity
error #1281).
What happens is that we lock cam->busy_lock, then proceed to free
resources, and in the case of (--cam->open_count == 0) we finish off by
doing a kfree(cam) and then at the end of the function we do a
mutex_unlock(&cam->busy_lock) which will explode since it'll dereference
the free'd `cam' :
...
mutex_lock(&cam->busy_lock);
...
if (--cam->open_count == 0) {
...
if (!cam->present) {
video_unregister_device(dev);
kfree(cam);
}
}
mutex_unlock(&cam->busy_lock); <--- PROBLEM, cam no longer around.
...
Since this only happens in the case of open_count going down to zero I
don't see a problem with just releasing the mutex after unregistering the
device and just before the kfree(). In this case there is nothing around
that we can race against; we are in the release method, open_count is zero,
(!cam->present) and the device has just been unregistered, so letting go of
the mutex at this point looks safe to me.
Patch below to implement that solution.
Signed-off-by: Jesper Juhl <jesper.juhl@xxxxxxxxx>
Cc: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
drivers/media/video/cpia2/cpia2_v4l.c | 2 ++
1 file changed, 2 insertions(+)
diff -puN drivers/media/video/cpia2/cpia2_v4l.c~fix-use-after-free-bug-in-cpia2-driver drivers/media/video/cpia2/cpia2_v4l.c
--- a/drivers/media/video/cpia2/cpia2_v4l.c~fix-use-after-free-bug-in-cpia2-driver
+++ a/drivers/media/video/cpia2/cpia2_v4l.c
@@ -343,7 +343,9 @@ static int cpia2_close(struct inode *ino
cpia2_free_buffers(cam);
if (!cam->present) {
video_unregister_device(dev);
+ mutex_unlock(&cam->busy_lock);
kfree(cam);
+ return 0;
}
}
_
Patches currently in -mm which might be from jesper.juhl@xxxxxxxxx are
origin.patch
git-alsa.patch
fix-use-after-free-bug-in-cpia2-driver.patch
git-infiniband.patch
small-whitespace-cleanup-for-qlogic-driver.patch
add-scsi_add_host-failure-handling-for-nsp32.patch
xtensa-remove-verify_area-macros.patch
xtensa-remove-verify_area-macros-fix.patch
oss-cs46xx-cleanup-and-tiny-bugfix.patch
i4l-memory-leak-fix-for-sc_ioctl.patch
isdn-unsafe-interaction-between-isdn_write-and-isdn_writebuf_stub.patch
isdn-unsafe-interaction-between-isdn_write-and-isdn_writebuf_stub-fix.patch
binfmt_elf-codingstyle-cleanup-and-remove-some-pointless-casts.patch
binfnt_elf-remove-more-casts.patch
ensure-null-deref-cant-possibly-happen-in-is_exported.patch
bluetooth-fix-potential-null-ptr-deref-in-dtl1_cscdtl1_hci_send_frame.patch
pnp-card_probe-fix-memory-leak.patch
moxa-remove-pointless-casts.patch
moxa-remove-pointless-check-of-tty-argument-vs-null.patch
moxa-partial-codingstyle-cleanup-spelling-fixes.patch
correct-sak-description-in-sysrqtxt.patch
i-force-joystick-remove-some-pointless-casts.patch
debug-shared-irqs.patch
remove-redundant-null-checks-before-free-in-fs.patch
remove-redundant-null-checks-before-free-in-kernel.patch
remove-redundant-null-checks-before-free-in-drivers.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
