media: pci: cx23885: Fix the error handling in cx23885_initdev()

stable inclusion from stable-v5.10.121 commit ca17e7a532d1a55466cc007b3f4d319541a27493 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5L6CQ Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ca17e7a532d1a55466cc007b3f4d319541a27493 -------------------------------- [ Upstream commit e8123311 ] When the driver fails to call the dma_set_mask(), the driver will get the following splat: [ 55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240 [ 55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590 [ 55.856822] Call Trace: [ 55.860327] __process_removed_driver+0x3c/0x240 [ 55.861347] bus_for_each_dev+0x102/0x160 [ 55.861681] i2c_del_driver+0x2f/0x50 This is because the driver has initialized the i2c related resources in cx23885_dev_setup() but not released them in error handling, fix this bug by modifying the error path that jumps after failing to call the dma_set_mask(). Signed-off-by: N Zheyu Ma <zheyuma97@gmail.com> Signed-off-by: N Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: N Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>

media: pci: cx23885: Fix the error handling in cx23885_initdev()
stable inclusion from stable-v5.10.121 commit ca17e7a532d1a55466cc007b3f4d319541a27493 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5L6CQ Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ca17e7a532d1a55466cc007b3f4d319541a27493 -------------------------------- [ Upstream commit e8123311 ] When the driver fails to call the dma_set_mask(), the driver will get the following splat: [ 55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240 [ 55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590 [ 55.856822] Call Trace: [ 55.860327] __process_removed_driver+0x3c/0x240 [ 55.861347] bus_for_each_dev+0x102/0x160 [ 55.861681] i2c_del_driver+0x2f/0x50 This is because the driver has initialized the i2c related resources in cx23885_dev_setup() but not released them in error handling, fix this bug by modifying the error path that jumps after failing to call the dma_set_mask(). Signed-off-by: N Zheyu Ma <zheyuma97@gmail.com> Signed-off-by: N Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: N Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>
43afd542 · Zheyu Ma · Zheng Zengkai · 7f755757 · 43afd542
隐藏空白更改
内联并排

Showing with 3 addition and 3 deletion

drivers/media/pci/cx23885/cx23885-core.c drivers/media/pci/cx23885/cx23885-core.c +3 -3

未找到文件。
--- a/drivers/media/pci/cx23885/cx23885-core.c
+++ b/drivers/media/pci/cx23885/cx23885-core.c
@@ -2154,7 +2154,7 @@ static int cx23885_initdev(struct pci_dev *pci_dev,
 	err = pci_set_dma_mask(pci_dev, 0xffffffff);
 	if (err) {
 		pr_err("%s/0: Oops: no 32bit PCI DMA ???\n", dev->name);
-		goto fail_ctrl;
+		goto fail_dma_set_mask;
 	}
 	err = request_irq(pci_dev->irq, cx23885_irq,
@@ -2162,7 +2162,7 @@ static int cx23885_initdev(struct pci_dev *pci_dev,
 	if (err < 0) {
 		pr_err("%s: can't get IRQ %d\n",
 		       dev->name, pci_dev->irq);
-		goto fail_irq;
+		goto fail_dma_set_mask;
 	}
 	switch (dev->board) {
@@ -2184,7 +2184,7 @@ static int cx23885_initdev(struct pci_dev *pci_dev,
 	return 0;
-fail_irq:
+fail_dma_set_mask:
 	cx23885_dev_unregister(dev);
 fail_ctrl:
 	v4l2_ctrl_handler_free(hdl);