[git:media_tree/master] media: usbtv: prevent double free in error case

26 Feb 2018

This is an automatic generated email to let you know that the following patch were queued:
Subject: media: usbtv: prevent double free in error case
Author:  Oliver Neukum oneukum@suse.com
Date:    Mon Jan 8 09:21:07 2018 -0500
Quoting the original report:
It looks like there is a double-free vulnerability in Linux usbtv driver
on an error path of usbtv_probe function. When audio registration fails,
usbtv_video_free function ends up freeing usbtv data structure, which
gets freed the second time under usbtv_video_fail label.
usbtv_audio_fail:
usbtv_video_free(usbtv); =>
v4l2_device_put(&usbtv->v4l2_dev);
=> v4l2_device_put
=> kref_put
=> v4l2_device_release
=> usbtv_release (CALLBACK)
=> kfree(usbtv) (1st time)
usbtv_video_fail:
usb_set_intfdata(intf, NULL);
usb_put_dev(usbtv->udev);
kfree(usbtv); (2nd time)
So, as we have refcounting, use it
Reported-by: Yavuz, Tuba tuba@ece.ufl.edu
Signed-off-by: Oliver Neukum oneukum@suse.com
CC: stable@vger.kernel.org
Signed-off-by: Hans Verkuil hans.verkuil@cisco.com
Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com
drivers/media/usb/usbtv/usbtv-core.c | 2 ++
 1 file changed, 2 insertions(+)
---

diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c
index 127f8a0c098b..0c2e628e8723 100644
--- a/drivers/media/usb/usbtv/usbtv-core.c
+++ b/drivers/media/usb/usbtv/usbtv-core.c
@@ -112,6 +112,8 @@ static int usbtv_probe(struct usb_interface *intf,
    return 0;
usbtv_audio_fail:
+	/* we must not free at this point */
+	usb_get_dev(usbtv->udev);
    usbtv_video_free(usbtv);
usbtv_video_fail:

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

[git:media_tree/master] media: usbtv: prevent double free in error case