| From 4bb399d9bfba5f26ca413c7cab2e305ba5af8073 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Mon, 14 Dec 2020 12:53:31 +0100 |
| Subject: media: atomisp: Fix use after free in atomisp_alloc_css_stat_bufs() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| [ Upstream commit ba11bbf303fafb33989e95473e409f6ab412b18d ] |
| |
| The "s3a_buf" is freed along with all the other items on the |
| "asd->s3a_stats" list. It leads to a double free and a use after free. |
| |
| Link: https://lore.kernel.org/linux-media/X9dSO3RGf7r0pq2k@mwanda |
| Fixes: ad85094b293e ("Revert "media: staging: atomisp: Remove driver"") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/staging/media/atomisp/pci/atomisp_ioctl.c | 4 +--- |
| 1 file changed, 1 insertion(+), 3 deletions(-) |
| |
| diff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c |
| index 2ae50decfc8b..9da82855552d 100644 |
| --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c |
| +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c |
| @@ -948,10 +948,8 @@ int atomisp_alloc_css_stat_bufs(struct atomisp_sub_device *asd, |
| dev_dbg(isp->dev, "allocating %d dis buffers\n", count); |
| while (count--) { |
| dis_buf = kzalloc(sizeof(struct atomisp_dis_buf), GFP_KERNEL); |
| - if (!dis_buf) { |
| - kfree(s3a_buf); |
| + if (!dis_buf) |
| goto error; |
| - } |
| if (atomisp_css_allocate_stat_buffers( |
| asd, stream_id, NULL, dis_buf, NULL)) { |
| kfree(dis_buf); |
| -- |
| 2.30.2 |
| |