From patchwork Tue Oct 24 11:36:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arvind Yadav X-Patchwork-Id: 10024153 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5D1B760245 for ; Tue, 24 Oct 2017 11:37:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5AA25289C2 for ; Tue, 24 Oct 2017 11:37:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4F580289D7; Tue, 24 Oct 2017 11:37:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 196C7289C2 for ; Tue, 24 Oct 2017 11:37:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751920AbdJXLhR (ORCPT ); Tue, 24 Oct 2017 07:37:17 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:53672 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751825AbdJXLhQ (ORCPT ); Tue, 24 Oct 2017 07:37:16 -0400 Received: by mail-pf0-f194.google.com with SMTP id t188so19471813pfd.10; Tue, 24 Oct 2017 04:37:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=HHwHcNFmtyscqcS6HFAM7o9JmpK9zQs2al9sJCNs+IQ=; b=AAOOaNW7x5ego2F6vBz5cORyGX7go3GvS6vKHjWyRMdG76p4Ceqvo3tfJZ0djK/lvs +eE4HhugZRlqpVVeH2MNU+cLS5kjkhbopbsIHdIqa0FREgIRlkz2mXvq9Fc1U+48ogpt ZfgV/lUaQ1ZgiNDf/UKfkvursM62Eh/ujzhOnEraGxhxbCkvoHhbR35wAU4aBZCWpm8s vPu/kDVo2BP/E4BS8/styaaJRgQMZSdl4xtNJYX6aV79Zg9oAR1Y2RlIRiSEFORBipb/ urrSQn0BRBzwNNR9gL1RR3RTIAfZ3KPtGu98tLLH3uHwEPRBZc+c3Tt9iLdUufBGpFGs i5wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=HHwHcNFmtyscqcS6HFAM7o9JmpK9zQs2al9sJCNs+IQ=; b=C8KA70GaB+gPh15E0DFJsODDT8coA77rcQlD3c2ABUCZppuPdtfyiS4gteerWFYmj5 lMwm8yb+vYiR06u11aJS9MQ9+oZkbRcifsvWJHg1V4Pmzfgt2A81Hry61vdPWOmqgySA KZsNfJgj8O++Y7sidDbzv24f5zwa0l/qw7n/PPQcvzVtLaRjg71V9WUyOUBsxW84qiER 5IvFwNiKxvbZ/nuHkmxstVII4a4bRiNPs2cjZBFQyaow/v8Hs+opoOrkJ0qDsBUcnP4p eqPySLdFPQn35W41MJASTBm5nsF6oRWrtmnEyucTJ1c2HvvIE0+1NKaG2LMbC+9HfmV/ c3Fg== X-Gm-Message-State: AMCzsaVqhF00JkKpqCMglfph1XIjECQobRGgRLs42DLjv2pucyOK2mFC gMi8grvjfcbBgqFBurkSQQ0= X-Google-Smtp-Source: ABhQp+T8R3fo8Q4BsFaJHdnp+aZR9Tx334pcPNbQIGD6Z63Zsk8GBPMGEBQbcfnflPAaBiYWRzGs7g== X-Received: by 10.99.111.5 with SMTP id k5mr14587859pgc.364.1508845035581; Tue, 24 Oct 2017 04:37:15 -0700 (PDT) Received: from symbol-HP-Z420-Workstation.zebra.lan ([223.31.70.102]) by smtp.googlemail.com with ESMTPSA id l191sm182882pfc.180.2017.10.24.04.37.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 24 Oct 2017 04:37:14 -0700 (PDT) From: Arvind Yadav To: mchehab@kernel.org, max.kellermann@gmail.com, shuah@kernel.org, yamada.masahiro@socionext.com, sakari.ailus@linux.intel.com, colin.king@canonical.com, andreyknvl@google.com, dvyukov@google.com, kcc@google.com Cc: linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, syzkaller@googlegroups.com Subject: [RFT] media: dvb_frontend: Fix use-after-free in __dvb_frontend_free Date: Tue, 24 Oct 2017 17:06:48 +0530 Message-Id: <0ade6e417fbf2cd119aa1f2345f88a3810c03e11.1508844352.git.arvind.yadav.cs@gmail.com> X-Mailer: git-send-email 1.9.1 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Here, dvb_free_device will free dvb_device. dvb_frontend_invoke_release is using dvb_device after free. Signed-off-by: Arvind Yadav --- This bug report by Andrey Konovalov (usb/media/dtt200u: use-after-free in __dvb_frontend_free). drivers/media/dvb-core/dvb_frontend.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c index 2fcba16..7f1ef12 100644 --- a/drivers/media/dvb-core/dvb_frontend.c +++ b/drivers/media/dvb-core/dvb_frontend.c @@ -147,10 +147,10 @@ static void dvb_frontend_free(struct kref *ref) container_of(ref, struct dvb_frontend, refcount); struct dvb_frontend_private *fepriv = fe->frontend_priv; - dvb_free_device(fepriv->dvbdev); - dvb_frontend_invoke_release(fe, fe->ops.release); + dvb_free_device(fepriv->dvbdev); + kfree(fepriv); }