| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Apr 2024 23:20:31 +0300
From: Fedor Pchelkin <pchelkin@...ras.ru>
To: Roman Smirnov <r.smirnov@....ru>
Cc: Michael Krufky <mkrufky@...uxtv.org>,
Mauro Carvalho Chehab <mchehab@...nel.org>,
Jia-Ju Bai <baijiaju1990@...il.com>,
Hans Verkuil <hverkuil-cisco@...all.nl>,
lvc-project@...uxtesting.org, Sergey Shtylyov <s.shtylyov@....ru>,
linux-media@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [lvc-project] [PATCH 1/3] media: tuners: tda18271: fix error
code handling in tda18271_attach()
On Wed, 24. Apr 21:06, Fedor Pchelkin wrote:
> Hello Roman,
>
> On Tue, 16. Apr 14:45, Roman Smirnov wrote:
> > tda18271_attach() uses the hybrid_tuner_request_state() macro.
> > It may return the error code -ENOMEM, but the function handle
> > the value 0 instead.
>
> Maybe hybrid_tuner_request_state macro declaration should be fixed to
> generate zero in case of a memory allocation failure?
>
> At least it has a comment stating the following
> * 0 - no instances, indicates an error - kzalloc must have failed
>
> And supposedly a number of drivers implemented the error handling based on
> this assumption.
>
> The drivers mentioned in this series are not the only ones susceptible to
> the problem. Grepping through "hybrid_tuner_request_state" calls also gives
> out tda9887, xc2028, r820t and others.
>
> >
> > Found by Linux Verification Center (linuxtesting.org) with Svace.
> >
> > Fixes: b9302fa7ed97 ("media: tuners: fix error return code of hybrid_tuner_request_state()")
Looking more thoroughly, I think commit b9302fa7ed97 ("media: tuners: fix
error return code of hybrid_tuner_request_state()") should be reverted
because it just contradicts with the return values contract which is stated
in the comment for the macro and which is followed by all the existing
drivers.
__ret should be assigned 0 in error case as was before the commit.
> > Signed-off-by: Roman Smirnov <r.smirnov@....ru>
> > ---
> > drivers/media/tuners/tda18271-fe.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/media/tuners/tda18271-fe.c b/drivers/media/tuners/tda18271-fe.c
> > index a7e721baaa99..23432210f06a 100644
> > --- a/drivers/media/tuners/tda18271-fe.c
> > +++ b/drivers/media/tuners/tda18271-fe.c
> > @@ -1255,7 +1255,7 @@ struct dvb_frontend *tda18271_attach(struct dvb_frontend *fe, u8 addr,
> > hybrid_tuner_instance_list,
> > i2c, addr, "tda18271");
> > switch (instance) {
> > - case 0:
> > + case -ENOMEM:
> > goto fail;
> > case 1:
> > /* new tuner instance */
> > --
> > 2.34.1
> >
Powered by blists - more mailing lists