diff mbox series

[FOCAL,CVE-2019-19054] media: rc: prevent memory leak in cx23888_ir_probe

Message ID 20200812175112.62557-1-william.gray@canonical.com
State New
Headers show
Series [FOCAL,CVE-2019-19054] media: rc: prevent memory leak in cx23888_ir_probe | expand

Commit Message

William Breathitt Gray Aug. 12, 2020, 5:51 p.m. UTC 
From: Navid Emamdoost <navid.emamdoost@gmail.com>

In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
should be released.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

CVE-2019-19054

(cherry picked from a7b2df76b42bdd026e3106cf2ba97db41345a177)
Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
---
 drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Colin Ian King Aug. 12, 2020, 6 p.m. UTC | #1 
On 12/08/2020 18:51, William Breathitt Gray wrote:
> From: Navid Emamdoost <navid.emamdoost@gmail.com>
> 
> In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
> should be released.
> 
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> Signed-off-by: Sean Young <sean@mess.org>
> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> 
> CVE-2019-19054
> 
> (cherry picked from a7b2df76b42bdd026e3106cf2ba97db41345a177)
> Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
> ---
>  drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
> index e880afe37f15..d59ca3601785 100644
> --- a/drivers/media/pci/cx23885/cx23888-ir.c
> +++ b/drivers/media/pci/cx23885/cx23888-ir.c
> @@ -1167,8 +1167,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev)
>  		return -ENOMEM;
>  
>  	spin_lock_init(&state->rx_kfifo_lock);
> -	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
> +	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
> +			GFP_KERNEL)) {
> +		kfree(state);
>  		return -ENOMEM;
> +	}
>  
>  	state->dev = dev;
>  	sd = &state->sd;
> 

Thanks, looks sane to me

Acked-by: Colin Ian King <colin.king@canonical.com>
Thadeu Lima de Souza Cascardo Aug. 12, 2020, 6:21 p.m. UTC | #2 
On Wed, Aug 12, 2020 at 01:51:12PM -0400, William Breathitt Gray wrote:
> From: Navid Emamdoost <navid.emamdoost@gmail.com>
> 
> In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
> should be released.
> 
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> Signed-off-by: Sean Young <sean@mess.org>
> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> 
> CVE-2019-19054

Hi, William.

This applies cleanly on 5.3, 5.0, 4.15 and 4.4 kernels. Why wasn't it
submitted to those kernels as well?

Thanks.
Cascardo.

PS: this is not needed on 5.6 or 5.8.

> 
> (cherry picked from a7b2df76b42bdd026e3106cf2ba97db41345a177)
> Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
> ---
>  drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
> index e880afe37f15..d59ca3601785 100644
> --- a/drivers/media/pci/cx23885/cx23888-ir.c
> +++ b/drivers/media/pci/cx23885/cx23888-ir.c
> @@ -1167,8 +1167,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev)
>  		return -ENOMEM;
>  
>  	spin_lock_init(&state->rx_kfifo_lock);
> -	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
> +	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
> +			GFP_KERNEL)) {
> +		kfree(state);
>  		return -ENOMEM;
> +	}
>  
>  	state->dev = dev;
>  	sd = &state->sd;
> -- 
> 2.25.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
William Breathitt Gray Aug. 12, 2020, 6:27 p.m. UTC | #3 
On Wed, Aug 12, 2020 at 03:21:57PM -0300, Thadeu Lima de Souza Cascardo wrote:
> On Wed, Aug 12, 2020 at 01:51:12PM -0400, William Breathitt Gray wrote:
> > From: Navid Emamdoost <navid.emamdoost@gmail.com>
> > 
> > In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
> > should be released.
> > 
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > Signed-off-by: Sean Young <sean@mess.org>
> > Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> > 
> > CVE-2019-19054
> 
> Hi, William.
> 
> This applies cleanly on 5.3, 5.0, 4.15 and 4.4 kernels. Why wasn't it
> submitted to those kernels as well?
> 
> Thanks.
> Cascardo.
> 
> PS: this is not needed on 5.6 or 5.8.

Hi Cascardo,

I'm still running test builds for the other kernels to verify there are
no issues. In the future, should I wait to submit all of these together?

Thanks,

William Breathitt Gray

> > 
> > (cherry picked from a7b2df76b42bdd026e3106cf2ba97db41345a177)
> > Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
> > ---
> >  drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
> > index e880afe37f15..d59ca3601785 100644
> > --- a/drivers/media/pci/cx23885/cx23888-ir.c
> > +++ b/drivers/media/pci/cx23885/cx23888-ir.c
> > @@ -1167,8 +1167,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev)
> >  		return -ENOMEM;
> >  
> >  	spin_lock_init(&state->rx_kfifo_lock);
> > -	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
> > +	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
> > +			GFP_KERNEL)) {
> > +		kfree(state);
> >  		return -ENOMEM;
> > +	}
> >  
> >  	state->dev = dev;
> >  	sd = &state->sd;
> > -- 
> > 2.25.1
> > 
> > 
> > -- 
> > kernel-team mailing list
> > kernel-team@lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Thadeu Lima de Souza Cascardo Aug. 12, 2020, 6:35 p.m. UTC | #4 
On Wed, Aug 12, 2020 at 02:27:14PM -0400, William Breathitt Gray wrote:
> On Wed, Aug 12, 2020 at 03:21:57PM -0300, Thadeu Lima de Souza Cascardo wrote:
> > On Wed, Aug 12, 2020 at 01:51:12PM -0400, William Breathitt Gray wrote:
> > > From: Navid Emamdoost <navid.emamdoost@gmail.com>
> > > 
> > > In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
> > > should be released.
> > > 
> > > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > > Signed-off-by: Sean Young <sean@mess.org>
> > > Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> > > 
> > > CVE-2019-19054
> > 
> > Hi, William.
> > 
> > This applies cleanly on 5.3, 5.0, 4.15 and 4.4 kernels. Why wasn't it
> > submitted to those kernels as well?
> > 
> > Thanks.
> > Cascardo.
> > 
> > PS: this is not needed on 5.6 or 5.8.
> 
> Hi Cascardo,
> 
> I'm still running test builds for the other kernels to verify there are
> no issues. In the future, should I wait to submit all of these together?
> 
> Thanks,
> 
> William Breathitt Gray
> 

Unless you are expecting to have problems with backports or tests on older
series, I think it's best to just wait for all of them before sending.
Otherwise, you end up taking everyone's time to review the same thing again. Or
rather, you don't take advantage of the ACKs you already got for the same
bug/CVE.

Cascardo.

> > > 
> > > (cherry picked from a7b2df76b42bdd026e3106cf2ba97db41345a177)
> > > Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
> > > ---
> > >  drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
> > >  1 file changed, 4 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
> > > index e880afe37f15..d59ca3601785 100644
> > > --- a/drivers/media/pci/cx23885/cx23888-ir.c
> > > +++ b/drivers/media/pci/cx23885/cx23888-ir.c
> > > @@ -1167,8 +1167,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev)
> > >  		return -ENOMEM;
> > >  
> > >  	spin_lock_init(&state->rx_kfifo_lock);
> > > -	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
> > > +	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
> > > +			GFP_KERNEL)) {
> > > +		kfree(state);
> > >  		return -ENOMEM;
> > > +	}
> > >  
> > >  	state->dev = dev;
> > >  	sd = &state->sd;
> > > -- 
> > > 2.25.1
> > > 
> > > 
> > > -- 
> > > kernel-team mailing list
> > > kernel-team@lists.ubuntu.com
> > > https://lists.ubuntu.com/mailman/listinfo/kernel-team
Stefan Bader Aug. 14, 2020, 7:34 a.m. UTC | #5 
On 12.08.20 19:51, William Breathitt Gray wrote:
> From: Navid Emamdoost <navid.emamdoost@gmail.com>
> 
> In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
> should be released.
> 
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> Signed-off-by: Sean Young <sean@mess.org>
> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> 
> CVE-2019-19054
> 
> (cherry picked from a7b2df76b42bdd026e3106cf2ba97db41345a177)
> Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---

As Thadeu already said, normally it is better to hold back submitting something
until all series which potentially need this have been prepared. And as soon as
that means separate patches combine those under a cover email which refers to
all series in the subject.

The reasoning there is that when you glance over things in a threaded view, one
normally only sees the cover subject. And in cases where something quickly needs
to go in there might be chances to be missed.

In this case it looks like it ended up being a cherry pick for all series. In
that case waiting would have saved a lot of time because you would only have to
submit one patch without cover email and people only have to look at one thing.

For future reference.

>  drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
> index e880afe37f15..d59ca3601785 100644
> --- a/drivers/media/pci/cx23885/cx23888-ir.c
> +++ b/drivers/media/pci/cx23885/cx23888-ir.c
> @@ -1167,8 +1167,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev)
>  		return -ENOMEM;
>  
>  	spin_lock_init(&state->rx_kfifo_lock);
> -	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
> +	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
> +			GFP_KERNEL)) {
> +		kfree(state);
>  		return -ENOMEM;
> +	}
>  
>  	state->dev = dev;
>  	sd = &state->sd;
>
Kelsey Skunberg Aug. 19, 2020, 3:26 a.m. UTC | #6 
On 2020-08-12 19:00:25 , Colin Ian King wrote:
> On 12/08/2020 18:51, William Breathitt Gray wrote:
> > From: Navid Emamdoost <navid.emamdoost@gmail.com>
> > 
> > In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
> > should be released.
> > 
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > Signed-off-by: Sean Young <sean@mess.org>
> > Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> > 
> > CVE-2019-19054
> > 
> > (cherry picked from a7b2df76b42bdd026e3106cf2ba97db41345a177)
> > Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
> > ---
> >  drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
> > index e880afe37f15..d59ca3601785 100644
> > --- a/drivers/media/pci/cx23885/cx23888-ir.c
> > +++ b/drivers/media/pci/cx23885/cx23888-ir.c
> > @@ -1167,8 +1167,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev)
> >  		return -ENOMEM;
> >  
> >  	spin_lock_init(&state->rx_kfifo_lock);
> > -	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
> > +	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
> > +			GFP_KERNEL)) {
> > +		kfree(state);
> >  		return -ENOMEM;
> > +	}
> >  
> >  	state->dev = dev;
> >  	sd = &state->sd;
> > 
> 
> Thanks, looks sane to me
> 
> Acked-by: Colin Ian King <colin.king@canonical.com>
>

Hi Colin, 

To avoid assumptions, is this ACK covering the patch for F/X/B or only
Focal? Thank you! 

-Kelsey

> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Kelsey Skunberg Aug. 19, 2020, 3:29 a.m. UTC | #7 
On 2020-08-14 09:34:49 , Stefan Bader wrote:
> On 12.08.20 19:51, William Breathitt Gray wrote:
> > From: Navid Emamdoost <navid.emamdoost@gmail.com>
> > 
> > In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
> > should be released.
> > 
> > Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> > Signed-off-by: Sean Young <sean@mess.org>
> > Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> > 
> > CVE-2019-19054
> > 
> > (cherry picked from a7b2df76b42bdd026e3106cf2ba97db41345a177)
> > Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
> Acked-by: Stefan Bader <stefan.bader@canonical.com>
> > ---
> 
> As Thadeu already said, normally it is better to hold back submitting something
> until all series which potentially need this have been prepared. And as soon as
> that means separate patches combine those under a cover email which refers to
> all series in the subject.
> 
> The reasoning there is that when you glance over things in a threaded view, one
> normally only sees the cover subject. And in cases where something quickly needs
> to go in there might be chances to be missed.
> 
> In this case it looks like it ended up being a cherry pick for all series. In
> that case waiting would have saved a lot of time because you would only have to
> submit one patch without cover email and people only have to look at one thing.
> 
> For future reference.
> 

Hi Stefan, 

To avoid any assumptions, is this ACK for F/X/B or only Focal? 

-Kelsey

> >  drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
> > index e880afe37f15..d59ca3601785 100644
> > --- a/drivers/media/pci/cx23885/cx23888-ir.c
> > +++ b/drivers/media/pci/cx23885/cx23888-ir.c
> > @@ -1167,8 +1167,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev)
> >  		return -ENOMEM;
> >  
> >  	spin_lock_init(&state->rx_kfifo_lock);
> > -	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
> > +	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
> > +			GFP_KERNEL)) {
> > +		kfree(state);
> >  		return -ENOMEM;
> > +	}
> >  
> >  	state->dev = dev;
> >  	sd = &state->sd;
> > 
> 
> 




> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Colin Ian King Aug. 20, 2020, 1:49 p.m. UTC | #8 
On 19/08/2020 04:26, Kelsey Skunberg wrote:
> On 2020-08-12 19:00:25 , Colin Ian King wrote:
>> On 12/08/2020 18:51, William Breathitt Gray wrote:
>>> From: Navid Emamdoost <navid.emamdoost@gmail.com>
>>>
>>> In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
>>> should be released.
>>>
>>> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
>>> Signed-off-by: Sean Young <sean@mess.org>
>>> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
>>>
>>> CVE-2019-19054
>>>
>>> (cherry picked from a7b2df76b42bdd026e3106cf2ba97db41345a177)
>>> Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
>>> ---
>>>  drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
>>>  1 file changed, 4 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
>>> index e880afe37f15..d59ca3601785 100644
>>> --- a/drivers/media/pci/cx23885/cx23888-ir.c
>>> +++ b/drivers/media/pci/cx23885/cx23888-ir.c
>>> @@ -1167,8 +1167,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev)
>>>  		return -ENOMEM;
>>>  
>>>  	spin_lock_init(&state->rx_kfifo_lock);
>>> -	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
>>> +	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
>>> +			GFP_KERNEL)) {
>>> +		kfree(state);
>>>  		return -ENOMEM;
>>> +	}
>>>  
>>>  	state->dev = dev;
>>>  	sd = &state->sd;
>>>
>>
>> Thanks, looks sane to me
>>
>> Acked-by: Colin Ian King <colin.king@canonical.com>
>>
> 
> Hi Colin, 
> 
> To avoid assumptions, is this ACK covering the patch for F/X/B or only
> Focal? Thank you! 

Apologies for being ambiguous. It was for F/X/B

Colin
> 
> -Kelsey
> 
>> -- 
>> kernel-team mailing list
>> kernel-team@lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
Stefan Bader Aug. 20, 2020, 2:08 p.m. UTC | #9 
On 19.08.20 05:29, Kelsey Skunberg wrote:
> On 2020-08-14 09:34:49 , Stefan Bader wrote:
>> On 12.08.20 19:51, William Breathitt Gray wrote:
>>> From: Navid Emamdoost <navid.emamdoost@gmail.com>
>>>
>>> In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
>>> should be released.
>>>
>>> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
>>> Signed-off-by: Sean Young <sean@mess.org>
>>> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
>>>
>>> CVE-2019-19054
>>>
>>> (cherry picked from a7b2df76b42bdd026e3106cf2ba97db41345a177)
>>> Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
>> Acked-by: Stefan Bader <stefan.bader@canonical.com>
>>> ---
>>
>> As Thadeu already said, normally it is better to hold back submitting something
>> until all series which potentially need this have been prepared. And as soon as
>> that means separate patches combine those under a cover email which refers to
>> all series in the subject.
>>
>> The reasoning there is that when you glance over things in a threaded view, one
>> normally only sees the cover subject. And in cases where something quickly needs
>> to go in there might be chances to be missed.
>>
>> In this case it looks like it ended up being a cherry pick for all series. In
>> that case waiting would have saved a lot of time because you would only have to
>> submit one patch without cover email and people only have to look at one thing.
>>
>> For future reference.
>>
> 
> Hi Stefan, 
> 
> To avoid any assumptions, is this ACK for F/X/B or only Focal?

Yes, it was. Normally acking the first mail in a thread would be to cover
anything below. But you are right, in this case it is a bit confusing.

-Stefan

> 
> -Kelsey
> 
>>>  drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
>>>  1 file changed, 4 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
>>> index e880afe37f15..d59ca3601785 100644
>>> --- a/drivers/media/pci/cx23885/cx23888-ir.c
>>> +++ b/drivers/media/pci/cx23885/cx23888-ir.c
>>> @@ -1167,8 +1167,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev)
>>>  		return -ENOMEM;
>>>  
>>>  	spin_lock_init(&state->rx_kfifo_lock);
>>> -	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
>>> +	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
>>> +			GFP_KERNEL)) {
>>> +		kfree(state);
>>>  		return -ENOMEM;
>>> +	}
>>>  
>>>  	state->dev = dev;
>>>  	sd = &state->sd;
>>>
>>
>>
> 
> 
> 
> 
>> -- 
>> kernel-team mailing list
>> kernel-team@lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
Ian May Aug. 25, 2020, 10:13 p.m. UTC | #10 
This patch was applied in the following patchset:

Focal update: v5.4.56 upstream stable release
https://bugs.launchpad.net/bugs/1891063

Thanks!
Ian

On 2020-08-12 13:51:12 , William Breathitt Gray wrote:
> From: Navid Emamdoost <navid.emamdoost@gmail.com>
> 
> In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
> should be released.
> 
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
> Signed-off-by: Sean Young <sean@mess.org>
> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> 
> CVE-2019-19054
> 
> (cherry picked from a7b2df76b42bdd026e3106cf2ba97db41345a177)
> Signed-off-by: William Breathitt Gray <william.gray@canonical.com>
> ---
>  drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
> index e880afe37f15..d59ca3601785 100644
> --- a/drivers/media/pci/cx23885/cx23888-ir.c
> +++ b/drivers/media/pci/cx23885/cx23888-ir.c
> @@ -1167,8 +1167,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev)
>  		return -ENOMEM;
>  
>  	spin_lock_init(&state->rx_kfifo_lock);
> -	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
> +	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
> +			GFP_KERNEL)) {
> +		kfree(state);
>  		return -ENOMEM;
> +	}
>  
>  	state->dev = dev;
>  	sd = &state->sd;
> -- 
> 2.25.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff mbox series

Patch

diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
index e880afe37f15..d59ca3601785 100644
--- a/drivers/media/pci/cx23885/cx23888-ir.c
+++ b/drivers/media/pci/cx23885/cx23888-ir.c
@@ -1167,8 +1167,11 @@  int cx23888_ir_probe(struct cx23885_dev *dev)
 		return -ENOMEM;
 
 	spin_lock_init(&state->rx_kfifo_lock);
-	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
+	if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
+			GFP_KERNEL)) {
+		kfree(state);
 		return -ENOMEM;
+	}
 
 	state->dev = dev;
 	sd = &state->sd;