Patch "media: si470x: Fix use-after-free in si470x_int_in_callback()" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 25 Dec 2022 10:40:40 -0500

This is a note to let you know that I've just added the patch titled

    media: si470x: Fix use-after-free in si470x_int_in_callback()

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     media-si470x-fix-use-after-free-in-si470x_int_in_cal.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d7ed80959ad56f506bce1a3ba6abb482c4156912
Author: Shigeru Yoshida <syoshida@xxxxxxxxxx>
Date:   Wed Nov 23 03:51:59 2022 +0900

    media: si470x: Fix use-after-free in si470x_int_in_callback()
    
    [ Upstream commit 7d21e0b1b41b21d628bf2afce777727bd4479aa5 ]
    
    syzbot reported use-after-free in si470x_int_in_callback() [1].  This
    indicates that urb->context, which contains struct si470x_device
    object, is freed when si470x_int_in_callback() is called.
    
    The cause of this issue is that si470x_int_in_callback() is called for
    freed urb.
    
    si470x_usb_driver_probe() calls si470x_start_usb(), which then calls
    usb_submit_urb() and si470x_start().  If si470x_start_usb() fails,
    si470x_usb_driver_probe() doesn't kill urb, but it just frees struct
    si470x_device object, as depicted below:
    
    si470x_usb_driver_probe()
      ...
      si470x_start_usb()
        ...
        usb_submit_urb()
        retval = si470x_start()
        return retval
      if (retval < 0)
        free struct si470x_device object, but don't kill urb
    
    This patch fixes this issue by killing urb when si470x_start_usb()
    fails and urb is submitted.  If si470x_start_usb() fails and urb is
    not submitted, i.e. submitting usb fails, it just frees struct
    si470x_device object.
    
    Reported-by: syzbot+9ca7a12fd736d93e0232@xxxxxxxxxxxxxxxxxxxxxxxxx
    Link: https://syzkaller.appspot.com/bug?id=94ed6dddd5a55e90fd4bab942aa4bb297741d977 [1]
    Signed-off-by: Shigeru Yoshida <syoshida@xxxxxxxxxx>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
index 3f8634a46573..1365ae732b79 100644
--- a/drivers/media/radio/si470x/radio-si470x-usb.c
+++ b/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -733,8 +733,10 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
 
 	/* start radio */
 	retval = si470x_start_usb(radio);
-	if (retval < 0)
+	if (retval < 0 && !radio->int_in_running)
 		goto err_buf;
+	else if (retval < 0)	/* in case of radio->int_in_running == 1 */
+		goto err_all;
 
 	/* set initial frequency */
 	si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */






