Patchwork video: fbdev: udlfb: Fix use after free on dlfb_usb_probe error path

login
register
mail settings
Submitter Anton Vasilyev
Date Aug. 11, 2017, 12:59 p.m.
Message ID <1502456341-1783-1-git-send-email-vasilyev@ispras.ru>
Download mbox | patch
Permalink /patch/9895789/
State New
Headers show

Comments

Anton Vasilyev - Aug. 11, 2017, 12:59 p.m.
If dlfb_usb_probe drops to error path then there is only one
kref_init() call and no kref_get(), so second kref_put() leads to
use after free.

The patch removes superfluous kref_put on dlfb_usb_probe error path.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
---
 drivers/video/fbdev/udlfb.c | 1 -
 1 file changed, 1 deletion(-)
Bartlomiej Zolnierkiewicz - Aug. 21, 2017, 2:35 p.m.
On Friday, August 11, 2017 03:59:01 PM Anton Vasilyev wrote:
> If dlfb_usb_probe drops to error path then there is only one
> kref_init() call and no kref_get(), so second kref_put() leads to
> use after free.
> 
> The patch removes superfluous kref_put on dlfb_usb_probe error path.
> 
> Found by Linux Driver Verification project (linuxtesting.org).
> 
> Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>

Patch queued for 4.14, thanks.

Best regards,
--
Bartlomiej Zolnierkiewicz
Samsung R&D Institute Poland
Samsung Electronics

--
To unsubscribe from this list: send the line "unsubscribe linux-fbdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c
index 05ef657..f71b49f 100644
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -1655,7 +1655,6 @@  static int dlfb_usb_probe(struct usb_interface *interface,
 error:
 	if (dev) {
 
-		kref_put(&dev->kref, dlfb_free); /* ref for framebuffer */
 		kref_put(&dev->kref, dlfb_free); /* last ref from kref_init */
 
 		/* dev has been deallocated. Do not dereference */