lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20211115165434.361862710@linuxfoundation.org>
Date:   Mon, 15 Nov 2021 17:54:20 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     linux-kernel@...r.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        stable@...r.kernel.org, Hulk Robot <hulkci@...wei.com>,
        Yang Yingliang <yangyingliang@...wei.com>,
        Stable@...r.kernel.org,
        Jonathan Cameron <Jonathan.Cameron@...wei.com>
Subject: [PATCH 5.15 165/917] iio: buffer: Fix memory leak in __iio_buffer_alloc_sysfs_and_mask()

From: Yang Yingliang <yangyingliang@...wei.com>

commit 9a2ff8009e53296e47de72d5af0bc31cd53274ff upstream.

When iio_buffer_wrap_attr() returns NULL or buffer->buffer_group.name alloc
fails, the 'attr' which is allocated in __iio_buffer_alloc_sysfs_and_mask()
is not freed, and cause memory leak.

unreferenced object 0xffff888014882a00 (size 64):
  comm "i2c-adjd_s311-8", pid 424, jiffies 4294907737 (age 44.396s)
  hex dump (first 32 bytes):
    00 0f 8a 15 80 88 ff ff 00 0e 8a 15 80 88 ff ff  ................
    80 04 8a 15 80 88 ff ff 80 05 8a 15 80 88 ff ff  ................
  backtrace:
    [<0000000021752e67>] __kmalloc+0x1af/0x3c0
    [<0000000043e8305c>] iio_buffers_alloc_sysfs_and_mask+0xe73/0x1570 [industrialio]
    [<00000000b7aa5a17>] __iio_device_register+0x483/0x1a30 [industrialio]
    [<000000003fa0fb2f>] __devm_iio_device_register+0x23/0x90 [industrialio]
    [<000000003ab040cf>] adjd_s311_probe+0x19c/0x200 [adjd_s311]
    [<0000000080458969>] i2c_device_probe+0xa31/0xbe0
    [<00000000e20678ad>] really_probe+0x299/0xc30
    [<000000006bea9b27>] __driver_probe_device+0x357/0x500
    [<00000000e1df10d4>] driver_probe_device+0x4e/0x140
    [<0000000003661beb>] __device_attach_driver+0x257/0x340
    [<000000005bb4aa26>] bus_for_each_drv+0x166/0x1e0
    [<00000000272c5236>] __device_attach+0x272/0x420
    [<00000000d52a96ae>] bus_probe_device+0x1eb/0x2a0
    [<00000000129f7737>] device_add+0xbf0/0x1f90
    [<000000005eed4e52>] i2c_new_client_device+0x622/0xb20
    [<00000000b85a9c43>] new_device_store+0x1fa/0x420

This patch fix to free it before the error return.

Reported-by: Hulk Robot <hulkci@...wei.com>
Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
Fixes: d9a625744ed0 ("iio: core: merge buffer/ & scan_elements/ attributes")
Signed-off-by: Yang Yingliang <yangyingliang@...wei.com>
Link: https://lore.kernel.org/r/20211013094343.315275-1-yangyingliang@huawei.com
Cc: <Stable@...r.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@...wei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
 drivers/iio/industrialio-buffer.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -1536,6 +1536,7 @@ static int __iio_buffer_alloc_sysfs_and_
 		       sizeof(struct attribute *) * buffer_attrcount);
 
 	buffer_attrcount += ARRAY_SIZE(iio_buffer_attrs);
+	buffer->buffer_group.attrs = attr;
 
 	for (i = 0; i < buffer_attrcount; i++) {
 		struct attribute *wrapped;
@@ -1543,7 +1544,7 @@ static int __iio_buffer_alloc_sysfs_and_
 		wrapped = iio_buffer_wrap_attr(buffer, attr[i]);
 		if (!wrapped) {
 			ret = -ENOMEM;
-			goto error_free_scan_mask;
+			goto error_free_buffer_attrs;
 		}
 		attr[i] = wrapped;
 	}
@@ -1558,8 +1559,6 @@ static int __iio_buffer_alloc_sysfs_and_
 		goto error_free_buffer_attrs;
 	}
 
-	buffer->buffer_group.attrs = attr;
-
 	ret = iio_device_register_sysfs_group(indio_dev, &buffer->buffer_group);
 	if (ret)
 		goto error_free_buffer_attr_group_name;


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ