[3/4,media] xc2028: unlock on error in xc2028_set_config()

Message ID	1536951099-22760-4-git-send-email-tyhicks@canonical.com
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Tyler Hicks <tyhicks@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [PATCH 3/4] [media] xc2028: unlock on error in xc2028_set_config() Date: Fri, 14 Sep 2018 18:51:38 +0000 Message-Id: <1536951099-22760-4-git-send-email-tyhicks@canonical.com> In-Reply-To: <1536951099-22760-1-git-send-email-tyhicks@canonical.com> References: <1536951099-22760-1-git-send-email-tyhicks@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2016-7913 - Use-after-free in XCeive xc2028 tuner driver \| expand [0/4,T] CVE-2016-7913 - Use-after-free in XCeive xc2028 tuner driver [1/4,media] tuner-xc2028: Don't try to sleep twice [2/4,media] xc2028: avoid use after free [3/4,media] xc2028: unlock on error in xc2028_set_config() [4/4] xc2028: Fix use-after-free bug properly

Message ID

1536951099-22760-4-git-send-email-tyhicks@canonical.com

State

New

Headers

From: Tyler Hicks <tyhicks@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 3/4] [media] xc2028: unlock on error in xc2028_set_config()
Date: Fri, 14 Sep 2018 18:51:38 +0000
Message-Id: <1536951099-22760-4-git-send-email-tyhicks@canonical.com>
In-Reply-To: <1536951099-22760-1-git-send-email-tyhicks@canonical.com>
References: <1536951099-22760-1-git-send-email-tyhicks@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2016-7913 - Use-after-free in XCeive xc2028 tuner driver | expand

Commit Message

Tyler Hicks Sept. 14, 2018, 6:51 p.m. UTC

From: Dan Carpenter <dan.carpenter@oracle.com>

We have to unlock before returning -ENOMEM.

Fixes: 8dfbcc4351a0 ('[media] xc2028: avoid use after free')

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>

CVE-2016-7913

(cherry picked from commit 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 drivers/media/tuners/tuner-xc2028.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
index 8e11d5b817f3..f07f9bd6d0f4 100644
--- a/drivers/media/tuners/tuner-xc2028.c
+++ b/drivers/media/tuners/tuner-xc2028.c
@@ -1399,8 +1399,10 @@  static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
 	memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
 	if (p->fname) {
 		priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
-		if (priv->ctrl.fname == NULL)
-			return -ENOMEM;
+		if (priv->ctrl.fname == NULL) {
+			rc = -ENOMEM;
+			goto unlock;
+		}
 	}
 
 	/*
@@ -1432,6 +1434,7 @@  static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
 		} else
 			priv->state = XC2028_WAITING_FIRMWARE;
 	}
+unlock:
 	mutex_unlock(&priv->lock);
 
 	return rc;

[3/4,media] xc2028: unlock on error in xc2028_set_config()

Commit Message

Patch