Syzbot reports a NULL-ptr deref in the kref_put() call:
BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline] kref_put include/linux/kref.h:64 [inline] media_request_put drivers/media/mc/mc-request.c:81 [inline] media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89 __fput+0x2ed/0x750 fs/file_table.c:281 task_work_run+0x147/0x1d0 kernel/task_work.c:123 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:165 [inline] prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196
What led to this crash was an injected memory allocation failure in media_request_alloc():
FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 should_failslab+0x5/0x20 kmem_cache_alloc_trace+0x57/0x300 ? anon_inode_getfile+0xe5/0x170 media_request_alloc+0x339/0x440 media_device_request_alloc+0x94/0xc0 media_device_ioctl+0x1fb/0x330 ? do_vfs_ioctl+0x6ea/0x1a00 ? media_ioctl+0x101/0x120 ? __media_device_usb_init+0x430/0x430 ? media_poll+0x110/0x110 __se_sys_ioctl+0xf9/0x160 do_syscall_64+0xf3/0x1b0
When that allocation fails, filp->private_data is left uninitialized which media_request_close() does not expect and crashes.
To avoid this, reorder media_request_alloc() such that allocating the struct file happens as the last step thus media_request_close() will no longer get called for a partially created media request.
Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Tuomas Tynkkynen tuomas.tynkkynen@iki.fi --- drivers/media/mc/mc-request.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/drivers/media/mc/mc-request.c b/drivers/media/mc/mc-request.c index e3fca436c75b..c0782fd96c59 100644 --- a/drivers/media/mc/mc-request.c +++ b/drivers/media/mc/mc-request.c @@ -296,9 +296,18 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free)) return -ENOMEM;
+ if (mdev->ops->req_alloc) + req = mdev->ops->req_alloc(mdev); + else + req = kzalloc(sizeof(*req), GFP_KERNEL); + if (!req) + return -ENOMEM; + fd = get_unused_fd_flags(O_CLOEXEC); - if (fd < 0) - return fd; + if (fd < 0) { + ret = fd; + goto err_free_req; + }
filp = anon_inode_getfile("request", &request_fops, NULL, O_CLOEXEC); if (IS_ERR(filp)) { @@ -306,15 +315,6 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) goto err_put_fd; }
- if (mdev->ops->req_alloc) - req = mdev->ops->req_alloc(mdev); - else - req = kzalloc(sizeof(*req), GFP_KERNEL); - if (!req) { - ret = -ENOMEM; - goto err_fput; - } - filp->private_data = req; req->mdev = mdev; req->state = MEDIA_REQUEST_STATE_IDLE; @@ -336,12 +336,15 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd)
return 0;
-err_fput: - fput(filp); - err_put_fd: put_unused_fd(fd);
+err_free_req: + if (mdev->ops->req_free) + mdev->ops->req_free(req); + else + kfree(req); + return ret; }
On 21/06/2020 13:30, Tuomas Tynkkynen wrote:
Syzbot reports a NULL-ptr deref in the kref_put() call:
BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline] kref_put include/linux/kref.h:64 [inline] media_request_put drivers/media/mc/mc-request.c:81 [inline] media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89 __fput+0x2ed/0x750 fs/file_table.c:281 task_work_run+0x147/0x1d0 kernel/task_work.c:123 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:165 [inline] prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196
What led to this crash was an injected memory allocation failure in media_request_alloc():
FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 should_failslab+0x5/0x20 kmem_cache_alloc_trace+0x57/0x300 ? anon_inode_getfile+0xe5/0x170 media_request_alloc+0x339/0x440 media_device_request_alloc+0x94/0xc0 media_device_ioctl+0x1fb/0x330 ? do_vfs_ioctl+0x6ea/0x1a00 ? media_ioctl+0x101/0x120 ? __media_device_usb_init+0x430/0x430 ? media_poll+0x110/0x110 __se_sys_ioctl+0xf9/0x160 do_syscall_64+0xf3/0x1b0
When that allocation fails, filp->private_data is left uninitialized which media_request_close() does not expect and crashes.
To avoid this, reorder media_request_alloc() such that allocating the struct file happens as the last step thus media_request_close() will no longer get called for a partially created media request.
Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Tuomas Tynkkynen tuomas.tynkkynen@iki.fi
Reviewed-by: Hans Verkuil hverkuil-cisco@xs4all.nl
Thanks!
Hans
drivers/media/mc/mc-request.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/drivers/media/mc/mc-request.c b/drivers/media/mc/mc-request.c index e3fca436c75b..c0782fd96c59 100644 --- a/drivers/media/mc/mc-request.c +++ b/drivers/media/mc/mc-request.c @@ -296,9 +296,18 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free)) return -ENOMEM;
- if (mdev->ops->req_alloc)
req = mdev->ops->req_alloc(mdev);- else
req = kzalloc(sizeof(*req), GFP_KERNEL);- if (!req)
return -ENOMEM;- fd = get_unused_fd_flags(O_CLOEXEC);
- if (fd < 0)
return fd;
- if (fd < 0) {
ret = fd;goto err_free_req;- }
filp = anon_inode_getfile("request", &request_fops, NULL, O_CLOEXEC); if (IS_ERR(filp)) { @@ -306,15 +315,6 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) goto err_put_fd; }
- if (mdev->ops->req_alloc)
req = mdev->ops->req_alloc(mdev);- else
req = kzalloc(sizeof(*req), GFP_KERNEL);- if (!req) {
ret = -ENOMEM;goto err_fput;- }
- filp->private_data = req; req->mdev = mdev; req->state = MEDIA_REQUEST_STATE_IDLE;
@@ -336,12 +336,15 @@ int media_request_alloc(struct media_device *mdev, int *alloc_fd) return 0; -err_fput:
- fput(filp);
err_put_fd: put_unused_fd(fd); +err_free_req:
- if (mdev->ops->req_free)
mdev->ops->req_free(req);- else
kfree(req);- return ret;
}
Hi
[This is an automated email]
This commit has been processed because it contains a -stable tag. The stable tag indicates that it's relevant for the following trees: all
The bot has tested the following trees: v5.7.5, v5.4.48, v4.19.129, v4.14.185, v4.9.228, v4.4.228.
v5.7.5: Build OK! v5.4.48: Build OK! v4.19.129: Failed to apply! Possible dependencies: 10905d70d7884 ("media: media-request: implement media requests")
v4.14.185: Failed to apply! Possible dependencies: 10905d70d7884 ("media: media-request: implement media requests")
v4.9.228: Failed to apply! Possible dependencies: 10905d70d7884 ("media: media-request: implement media requests")
v4.4.228: Failed to apply! Possible dependencies: 0e576b76f5470 ("[media] media-entity.h: rename entity.type to entity.function") 10905d70d7884 ("media: media-request: implement media requests") 32fdc0e1a87c1 ("[media] uapi/media.h: Fix entity namespace") 8211b187ec646 ("[media] dvbdev: add support for interfaces") 8309f47c32c04 ("[media] media-device: add support for MEDIA_IOC_G_TOPOLOGY ioctl") 8df00a15817e3 ("[media] media: rename the function that create pad links") bb07bd6b68511 ("[media] allow overriding the driver name") bcd5081b05367 ("[media] media: Refactor copying IOCTL arguments from and to user space") bed6919665072 ("[media] au0828: Add support for media controller") df2f94e563edc ("[media] dvb: modify core to implement interfaces/entities at MC new gen") df9ecb0cad14b ("[media] vb2: drop v4l2_format argument from queue_setup") fa762394fd85c ("[media] media: create a macro to get entity ID")
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
linux-stable-mirror@lists.linaro.org
-
Hans Verkuil -
Sasha Levin -
Tuomas Tynkkynen