From patchwork Thu Feb 2 14:36:01 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 9552001 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7ACC160405 for ; Thu, 2 Feb 2017 14:36:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6017728423 for ; Thu, 2 Feb 2017 14:36:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 54B1E28442; Thu, 2 Feb 2017 14:36:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.4 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CC95028423 for ; Thu, 2 Feb 2017 14:36:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751477AbdBBOgq (ORCPT ); Thu, 2 Feb 2017 09:36:46 -0500 Received: from mout.kundenserver.de ([217.72.192.75]:50116 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750777AbdBBOgp (ORCPT ); Thu, 2 Feb 2017 09:36:45 -0500 Received: from wuerfel.lan ([78.42.17.5]) by mrelayeu.kundenserver.de (mreue101 [212.227.15.145]) with ESMTPA (Nemesis) id 0LshA1-1cSX4e3HFR-012Kn6; Thu, 02 Feb 2017 15:36:29 +0100 From: Arnd Bergmann To: Antti Palosaari , Mauro Carvalho Chehab Cc: Arnd Bergmann , Wolfram Sang , linux-media@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] [media] dvb-usb-v2: avoid use-after-free Date: Thu, 2 Feb 2017 15:36:01 +0100 Message-Id: <20170202143627.3565895-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:K0G85FFudnHdZ9ZKN8Udnr4m1HD1T6aOVVLNQrCKaWO04KCple/ KblV9cgWGbyLI+pW/tb1uTI1aimPNcrnVK3tIRN7w8C2c62tWifV4VdR+WYRNMXwKa0wbjC 7eXzUI4Nqv6fbrgkGuGNU+c2QQvrjA9AfjJdso45yPKp+UcEMekq/HV/EqDnDxSrLNqGBL9 lYc+ND1a7mIKvZgU+617Q== X-UI-Out-Filterresults: notjunk:1; V01:K0:I8RuIdYfetA=:z3Z180r1AqM+72C6WfKNy9 3CRryxfAw1otHWYtRCE+hawNgVVBQEzPx3/nzG7+IDqxTN1zzmtn4Nw9auSLavUEeFS8lgtCK riJNmTFobJU2BYZIdwncNHr5yyLQom0lG/wXMT3leW+DQfjlKUV9S1HSaMKg3qUyUzs3pypZN C55EFfvtv2O2bzxS2LrlkHcZ1v/1ILRwCmcrfDEuiaEQDHcwTTJxxtoourVUMGwXBqTQSvLAP C36B6+zJ47yd3OsdKkIvX/gP/y6vZpwEO+7hUxhhqu6E8kUpAn2KJHS5E1cEgzaZn2rDh00DR s3I77zWlF+qXwT57I2B5Hc1+Kl/wzIU8EFEg1XvAT3UdlzNZQRbz5ka6jmE16CP7JFDLi0Os8 bWuWWfp0mifinxb6Tcmegv2FvUTYdlDT6SUI2cdi+T6XdH5q7AgD9+FQMSJMir2a42S7jwmeC aD/xMGo/WpiZaaJjhshN3pi44pEghUTXNcflzFQ7OJMqtYzieNzDBadZT8pPmq4HvyisgCKoW PXwz4Xa0vBLOC2snA7UUZ39dShubZzR6nwh1JvL6Eh6MdaE8nQJVZcOZAxgFMFwoY0ij+HeNo cso296c83f03xtr+iKfDSBBUt9oT5UTmR7mecXtdgMGIeZZouiqUEnWkfQrLb1yk+b2ox8BYT QvSwsLmDCRJsPY/ch7kO1/13yODYoz2EVPRJUArldU8ADcjzsv2BbVpj5nJzoXgYdkN0= Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP I ran into a stack frame size warning because of the on-stack copy of the USB device structure: drivers/media/usb/dvb-usb-v2/dvb_usb_core.c: In function 'dvb_usbv2_disconnect': drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:1029:1: error: the frame size of 1104 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] Copying a device structure like this is wrong for a number of other reasons too aside from the possible stack overflow. One of them is that the dev_info() call will print the name of the device later, but AFAICT we have only copied a pointer to the name earlier and the actual name has been freed by the time it gets printed. This removes the on-stack copy of the device and instead copies the device name using kstrdup(). I'm ignoring the possible failure here as both printk() and kfree() are able to deal with NULL pointers. Signed-off-by: Arnd Bergmann --- drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c index a8e6624fbe83..a9bb2dde98ea 100644 --- a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c +++ b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c @@ -1013,8 +1013,8 @@ EXPORT_SYMBOL(dvb_usbv2_probe); void dvb_usbv2_disconnect(struct usb_interface *intf) { struct dvb_usb_device *d = usb_get_intfdata(intf); - const char *name = d->name; - struct device dev = d->udev->dev; + const char *devname = kstrdup(dev_name(&d->udev->dev), GFP_KERNEL); + const char *drvname = d->name; dev_dbg(&d->udev->dev, "%s: bInterfaceNumber=%d\n", __func__, intf->cur_altsetting->desc.bInterfaceNumber); @@ -1024,8 +1024,9 @@ void dvb_usbv2_disconnect(struct usb_interface *intf) dvb_usbv2_exit(d); - dev_info(&dev, "%s: '%s' successfully deinitialized and disconnected\n", - KBUILD_MODNAME, name); + pr_info("%s: '%s:%s' successfully deinitialized and disconnected\n", + KBUILD_MODNAME, drvname, devname); + kfree(devname); } EXPORT_SYMBOL(dvb_usbv2_disconnect);