Skip to content

Commit 0051453

Browse files
arndbmchehab
authored andcommitted
[media] dvb-usb-v2: avoid use-after-free
I ran into a stack frame size warning because of the on-stack copy of the USB device structure: drivers/media/usb/dvb-usb-v2/dvb_usb_core.c: In function 'dvb_usbv2_disconnect': drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:1029:1: error: the frame size of 1104 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] Copying a device structure like this is wrong for a number of other reasons too aside from the possible stack overflow. One of them is that the dev_info() call will print the name of the device later, but AFAICT we have only copied a pointer to the name earlier and the actual name has been freed by the time it gets printed. This removes the on-stack copy of the device and instead copies the device name using kstrdup(). I'm ignoring the possible failure here as both printk() and kfree() are able to deal with NULL pointers. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
1 parent 430ae12 commit 0051453

File tree

1 file changed

+5
-4
lines changed

1 file changed

+5
-4
lines changed

Diff for: drivers/media/usb/dvb-usb-v2/dvb_usb_core.c

+5-4
Original file line numberDiff line numberDiff line change
@@ -1012,8 +1012,8 @@ EXPORT_SYMBOL(dvb_usbv2_probe);
10121012
void dvb_usbv2_disconnect(struct usb_interface *intf)
10131013
{
10141014
struct dvb_usb_device *d = usb_get_intfdata(intf);
1015-
const char *name = d->name;
1016-
struct device dev = d->udev->dev;
1015+
const char *devname = kstrdup(dev_name(&d->udev->dev), GFP_KERNEL);
1016+
const char *drvname = d->name;
10171017

10181018
dev_dbg(&d->udev->dev, "%s: bInterfaceNumber=%d\n", __func__,
10191019
intf->cur_altsetting->desc.bInterfaceNumber);
@@ -1023,8 +1023,9 @@ void dvb_usbv2_disconnect(struct usb_interface *intf)
10231023

10241024
dvb_usbv2_exit(d);
10251025

1026-
dev_info(&dev, "%s: '%s' successfully deinitialized and disconnected\n",
1027-
KBUILD_MODNAME, name);
1026+
pr_info("%s: '%s:%s' successfully deinitialized and disconnected\n",
1027+
KBUILD_MODNAME, drvname, devname);
1028+
kfree(devname);
10281029
}
10291030
EXPORT_SYMBOL(dvb_usbv2_disconnect);
10301031

0 commit comments

Comments
 (0)