| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 4 Mar 2020 10:41:16 +0200
From: Tomi Valkeinen <tomi.valkeinen@...com>
To: Benoit Parrot <bparrot@...com>, Hans Verkuil <hverkuil@...all.nl>
CC: <linux-media@...r.kernel.org>, <devicetree@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <stable@...r.kernel.org>
Subject: Re: [Patch] media: ti-vpe: cal: fix a kernel oops when unloading
module
On 04/03/2020 10:40, Tomi Valkeinen wrote:
> On 03/03/2020 19:26, Benoit Parrot wrote:
>> After the switch to use v4l2_async_notifier_add_subdev() and
>> v4l2_async_notifier_cleanup(), unloading the ti_cal module would casue a
>> kernel oops.
>>
>> This was root cause to the fact that v4l2_async_notifier_cleanup() tries
>> to kfree the asd pointer passed into v4l2_async_notifier_add_subdev().
>>
>> In our case the asd reference was from a statically allocated struct.
>> So in effect v4l2_async_notifier_cleanup() was trying to free a pointer
>> that was not kalloc.
>>
>> So here we switch to using a kzalloc struct instead of a static one.
>>
>> Fixes: d079f94c9046 ("media: platform: Switch to v4l2_async_notifier_add_subdev")
>>
>> Cc: stable@...r.kernel.org
>> Signed-off-by: Benoit Parrot <bparrot@...com>
>> ---
>> drivers/media/platform/ti-vpe/cal.c | 7 ++++---
>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
>> index 6d4cbb8782ed..18fe2cb9dd17 100644
>> --- a/drivers/media/platform/ti-vpe/cal.c
>> +++ b/drivers/media/platform/ti-vpe/cal.c
>> @@ -372,8 +372,6 @@ struct cal_ctx {
>> struct v4l2_subdev *sensor;
>> struct v4l2_fwnode_endpoint endpoint;
>> - struct v4l2_async_subdev asd;
>> -
>> struct v4l2_fh fh;
>> struct cal_dev *dev;
>> struct cc_data *cc;
>> @@ -2032,7 +2030,6 @@ static int of_cal_create_instance(struct cal_ctx *ctx, int inst)
>> parent = pdev->dev.of_node;
>> - asd = &ctx->asd;
>> endpoint = &ctx->endpoint;
>> ep_node = NULL;
>> @@ -2040,6 +2037,10 @@ static int of_cal_create_instance(struct cal_ctx *ctx, int inst)
>> sensor_node = NULL;
>> ret = -EINVAL;
>> + asd = kzalloc(sizeof(*asd), GFP_KERNEL);
>> + if (!asd)
>> + goto cleanup_exit;
>> +
>> ctx_dbg(3, ctx, "Scanning Port node for csi2 port: %d\n", inst);
>> for (index = 0; index < CAL_NUM_CSI2_PORTS; index++) {
>> port = of_get_next_port(parent, port);
>>
>
> Thanks, this fixes the crash for me.
>
> It does look a bit odd that something is allocated with kzalloc, and then it's freed somewhere
> inside v4l2_async_notifier_cleanup, though. But if that's how it supposed to be used, looks fine to me.
Well, sent that a few seconds too early... With this patch, I see kmemleaks.
Tomi
--
Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki
Powered by blists - more mailing lists