@@ -1466,6 +1466,7 @@ static int __comedi_get_user_chanlist(struct comedi_device *dev,
unsigned int *chanlist;
int ret;
+ cmd->chanlist = NULL;
chanlist = memdup_user(user_chanlist,
cmd->chanlist_len * sizeof(unsigned int));
if (IS_ERR(chanlist))
@@ -1619,6 +1620,8 @@ static int do_cmdtest_ioctl(struct comedi_device *dev,
ret = s->do_cmdtest(dev, s, &cmd);
+ kfree(cmd.chanlist); /* free kernel copy of user chanlist */
+
/* restore chanlist pointer before copying back */
cmd.chanlist = (unsigned int __force *)user_chanlist;
This is a note to let you know that I have just added a patch titled staging: comedi: fix memory leak / bad pointer freeing for chanlist to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.16.y-queue This patch is scheduled to be released in version 3.16.7-ckt1. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.16.y-ckt tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ------ From c002841d429d885537da70835a2a78b65ebd0035 Mon Sep 17 00:00:00 2001 From: Ian Abbott <abbotti@mev.co.uk> Date: Mon, 20 Oct 2014 15:10:40 +0100 Subject: staging: comedi: fix memory leak / bad pointer freeing for chanlist commit 238b5ad855924919e5b98d0c772d9dc78795639b upstream. As a follow-up to commit 6cab7a37f5c04 ("staging: comedi: (regression) channel list must be set for COMEDI_CMD ioctl"), Hartley Sweeten pointed out another couple of bugs stemming from commit 6cab7a37f5c04 ("staging: comedi: comedi_fops: introduce __comedi_get_user_chanlist()"). Firstly, `do_cmdtest_ioctl()` never frees the kernel copy of the user chanlist allocated by `__comedi_get_user_chanlist()`, so that memory is leaked. Fix it by freeing the allocated kernel memory pointed to by `cmd.chanlist` before that pointer is overwritten with its original pointer to user memory before `cmd` is copied back to user-space. Secondly, if `__comedi_get_user_chanlist()` returns an error, `cmd->chanlist` is left unchanged and in fact will be a pointer to user memory. This causes `do_cmd_ioctl()` to `goto cleanup` and call `do_become_nonbusy()` which would attempt to free the memory pointed to by the user-space pointer. Fix it by setting `cmd->chanlist` to NULL at the start of `__comedi_get_user_chanlist()`. Fixes: c6cd0eefb27b ("staging: comedi: comedi_fops: introduce __comedi_get_user_chanlist()") Reported-by: H Hartley Sweeten <hsweeten@visionengravers.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> --- drivers/staging/comedi/comedi_fops.c | 3 +++ 1 file changed, 3 insertions(+) -- 2.1.0