From patchwork Mon Oct 31 17:52:26 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Young X-Patchwork-Id: 9406157 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E18CD60721 for ; Mon, 31 Oct 2016 17:52:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D85DF28D3E for ; Mon, 31 Oct 2016 17:52:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CCBDB2934E; Mon, 31 Oct 2016 17:52:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8672F28D3E for ; Mon, 31 Oct 2016 17:52:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S945237AbcJaRwd (ORCPT ); Mon, 31 Oct 2016 13:52:33 -0400 Received: from gofer.mess.org ([80.229.237.210]:36451 "EHLO gofer.mess.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S945233AbcJaRwc (ORCPT ); Mon, 31 Oct 2016 13:52:32 -0400 Received: by gofer.mess.org (Postfix, from userid 1000) id 1874A60965; Mon, 31 Oct 2016 17:52:29 +0000 (GMT) From: Sean Young To: Mauro Carvalho Chehab Cc: linux-media@vger.kernel.org Subject: [PATCH 8/9] [media] lirc: prevent use-after free Date: Mon, 31 Oct 2016 17:52:26 +0000 Message-Id: <1477936347-9029-9-git-send-email-sean@mess.org> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1477936347-9029-1-git-send-email-sean@mess.org> References: <1477936347-9029-1-git-send-email-sean@mess.org> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If you unplug an lirc device while reading from it, you will get an use after free as the cdev is freed while still in use. Signed-off-by: Sean Young --- drivers/media/rc/lirc_dev.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c index bf4309f..60fd106 100644 --- a/drivers/media/rc/lirc_dev.c +++ b/drivers/media/rc/lirc_dev.c @@ -164,15 +164,15 @@ static int lirc_cdev_add(struct irctl *ir) struct lirc_driver *d = &ir->d; struct cdev *cdev; - cdev = kzalloc(sizeof(*cdev), GFP_KERNEL); + cdev = cdev_alloc(); if (!cdev) goto err_out; if (d->fops) { - cdev_init(cdev, d->fops); + cdev->ops = d->fops; cdev->owner = d->owner; } else { - cdev_init(cdev, &lirc_dev_fops); + cdev->ops = &lirc_dev_fops; cdev->owner = THIS_MODULE; } retval = kobject_set_name(&cdev->kobj, "lirc%d", d->minor); @@ -190,7 +190,7 @@ static int lirc_cdev_add(struct irctl *ir) return 0; err_out: - kfree(cdev); + cdev_del(cdev); return retval; } @@ -420,7 +420,6 @@ int lirc_unregister_driver(int minor) } else { lirc_irctl_cleanup(ir); cdev_del(cdev); - kfree(cdev); kfree(ir); irctls[minor] = NULL; } @@ -521,7 +520,6 @@ int lirc_dev_fop_close(struct inode *inode, struct file *file) lirc_irctl_cleanup(ir); cdev_del(cdev); irctls[ir->d.minor] = NULL; - kfree(cdev); kfree(ir); }