From: Sakari Ailus <sakari.ailus@linux.intel.com>
To: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Cc: mchehab@kernel.org, laurent.pinchart@ideasonboard.com,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] media: media-request: Fix crash if memory allocation fails
Date: Tue, 23 Jun 2020 10:58:52 +0300
Message-ID: <20200623075852.GW16711@paasikivi.fi.intel.com> (raw)
In-Reply-To: <20200621113040.3540-1-tuomas.tynkkynen@iki.fi>
On Sun, Jun 21, 2020 at 02:30:40PM +0300, Tuomas Tynkkynen wrote:
> Syzbot reports a NULL-ptr deref in the kref_put() call:
>
> BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline]
> kref_put include/linux/kref.h:64 [inline]
> media_request_put drivers/media/mc/mc-request.c:81 [inline]
> media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89
> __fput+0x2ed/0x750 fs/file_table.c:281
> task_work_run+0x147/0x1d0 kernel/task_work.c:123
> tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> exit_to_usermode_loop arch/x86/entry/common.c:165 [inline]
> prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196
>
> What led to this crash was an injected memory allocation failure in
> media_request_alloc():
>
> FAULT_INJECTION: forcing a failure.
> name failslab, interval 1, probability 0, space 0, times 0
> should_failslab+0x5/0x20
> kmem_cache_alloc_trace+0x57/0x300
> ? anon_inode_getfile+0xe5/0x170
> media_request_alloc+0x339/0x440
> media_device_request_alloc+0x94/0xc0
> media_device_ioctl+0x1fb/0x330
> ? do_vfs_ioctl+0x6ea/0x1a00
> ? media_ioctl+0x101/0x120
> ? __media_device_usb_init+0x430/0x430
> ? media_poll+0x110/0x110
> __se_sys_ioctl+0xf9/0x160
> do_syscall_64+0xf3/0x1b0
>
> When that allocation fails, filp->private_data is left uninitialized
> which media_request_close() does not expect and crashes.
>
> To avoid this, reorder media_request_alloc() such that
> allocating the struct file happens as the last step thus
> media_request_close() will no longer get called for a partially created
> media request.
>
> Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com
> Cc: stable@vger.kernel.org
> Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Thanks a lot!
I'm adding this tag:
Fixes: 10905d70d788 ("media: media-request: implement media requests")
FYI: in the future, to get patches to the stable trees, please do add the
Cc: stable... tag, but not actually send the patch to stable@vger e-mail
address.
--
Kind regards,
Sakari Ailus
prev parent reply other threads:[~2020-06-23 7:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-21 11:30 Tuomas Tynkkynen
2020-06-22 9:35 ` Hans Verkuil
2020-06-23 7:58 ` Sakari Ailus [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200623075852.GW16711@paasikivi.fi.intel.com \
--to=sakari.ailus@linux.intel.com \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=tuomas.tynkkynen@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Unnamed repository; edit this file 'description' to name the repository.
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://archive.lwn.net:8080/linux-media/0 linux-media/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 linux-media linux-media/ http://archive.lwn.net:8080/linux-media \
linux-media@vger.kernel.org lwn-linux-media@archive.lwn.net
public-inbox-index linux-media
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://archive.lwn.net/lwn.kernel.linux-media
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git