From patchwork Tue Jan 17 09:06:10 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Takashi Sakamoto <o-takashi@sakamocchi.jp>
X-Patchwork-Id: 44598
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp1651389wrn;
        Tue, 17 Jan 2023 01:19:36 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXu7Q7lCR8xKFma4Lw0dZiirSQV61Uzp9XlZYcTNOCA6clUYgOaz3JQ0/WxsNxKR5LHBRKst
X-Received: by 2002:a05:6402:1512:b0:45c:835b:9461 with SMTP id
 f18-20020a056402151200b0045c835b9461mr1755278edw.29.1673947176209;
        Tue, 17 Jan 2023 01:19:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1673947176; cv=none;
        d=google.com; s=arc-20160816;
        b=ooFcxHpNiPdmNfC9klRzuOQv/AW6ookdYLkj6EtU8txustHeeHhPLamK/tC3qy0VIe
         SXuPoK4KRl0e27V7WnQpeijWnoYXTxoGFQ9+mNGBZ0h6sTgq+vJ0AJJRB0Yf+jP6IfhN
         H5P7qgh34G2KqPoxK/Dduwxx7BBtSmSCVSZNGhC2uusznjYkP6Ej7JpRdV+HyI6VwOTj
         +8FhtaaBT41AAXUlSZYtz/WXby2Z/hx28Bc3E5rYMouPCDMK2/ZoOZelWdaL8PBvdmuZ
         FDvltsRMPeEAQK1/K3ws0TkDrqjS/hTh1CMv1JV/YijKF+/gHzmtVSs+x49u8JovXaIA
         e5MQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :feedback-id:dkim-signature:dkim-signature;
        bh=Df24bCGT4QZ+Xvpi3Tsf1b/KvctyrLLDs9supDMoYb4=;
        b=fozIQsMm30sB+s9Pp/vxsPan+msf0WF5Dz4DMt6yM5yFYYDrx0tEzbcV3xsGmPY6iZ
         JCQE1PlWJ7PzuRRf6/ph9JmAkwa5A6gcALNkPilYB2roh1zEnlixQi6FwR8CaFrtdp+F
         6SeXGbYOiYI4ZEA2+juBsqvnDDV6HIg7SQXVpM8M4el1BGBhwDEKIqz8e/e751SpSnrD
         zoooBIgt7WQhgKPZMjy89xeNb7n1fPZ6evXyh1iI6Q5SiIuIAZJf981kqBWHb5y6AKmV
         iUZOKX0TTDGtYe+RTfVsDYAYFvbAo1Xk9c+No4m7VApVsPpNWD4gJgCiUHA5eyzj00W2
         vBxw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@sakamocchi.jp header.s=fm3 header.b="qldaI/6c";
       dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=YssJBzOR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 7-20020a508e07000000b0049e1782c0edsi5315572edw.296.2023.01.17.01.19.12;
        Tue, 17 Jan 2023 01:19:36 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sakamocchi.jp header.s=fm3 header.b="qldaI/6c";
       dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=YssJBzOR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235677AbjAQJPV (ORCPT <rfc822;pfffrao@gmail.com> + 99 others);
        Tue, 17 Jan 2023 04:15:21 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47808 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236666AbjAQJOF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Jan 2023 04:14:05 -0500
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com
 [66.111.4.28])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E401B3BD91;
        Tue, 17 Jan 2023 01:06:53 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
        by mailout.nyi.internal (Postfix) with ESMTP id EE8895C0064;
        Tue, 17 Jan 2023 04:06:16 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
  by compute3.internal (MEProxy); Tue, 17 Jan 2023 04:06:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakamocchi.jp;
         h=cc:cc:content-transfer-encoding:date:date:from:from
        :in-reply-to:in-reply-to:message-id:mime-version:references
        :reply-to:sender:subject:subject:to:to; s=fm3; t=1673946376; x=
        1674032776; bh=Df24bCGT4QZ+Xvpi3Tsf1b/KvctyrLLDs9supDMoYb4=; b=q
        ldaI/6cbb+baLZkEdkC1XqC6QOIjuL0ubizkmMPLME8ZyGmv7q74IcY99czsnFTi
        4BILWFI/uMbx6qchUCGu7MySS3xrgJFGN3v3xtSgVwP+i02KcigDrj2tVijd1Isz
        jopMEmlnEQmDKsqb4v5huMmtPkJ5EIoD9HMQvwIsyQyBfu7s3SEH0xXvCPPVVB3g
        xnwEc8co7h/DfWJ/3T44oHVT719kaoTRcCAoPqy/Ex+FYRTjoGhyiEkPFCPNfQVi
        ByRcWbwuvAztJV+nr2U3m4BTmkmPSj6x5WM/THlBCwMIRYMBomXwuobGUlj53T31
        ZZ6erUhTaatC1QkYqgr3A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
        messagingengine.com; h=cc:cc:content-transfer-encoding:date:date
        :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
        :message-id:mime-version:references:reply-to:sender:subject
        :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
        :x-sasl-enc; s=fm3; t=1673946376; x=1674032776; bh=Df24bCGT4QZ+X
        vpi3Tsf1b/KvctyrLLDs9supDMoYb4=; b=YssJBzORyH6tOfwDPpV5JsC+tXJbj
        wvYj7U/+2mWIS26rlbRA+fA/SyUqeLFdRLOnbyPjJtl5iKp9fKw4l+fIuLnqVnS+
        1z1nkLkNrotnX8uW94SwaxUHbQhKFMefpjFavgEklcJ9/mepK+2NCG5ichNux8ry
        kp6r5bLFHtjYk1u9czEoihFhic+PZsV+Yy0JFVcKO4NIHZyDVX7v/yaKy5MJWLaX
        ooR5aKn0lCNyRtjS8XDp71QO4zpGyweIKCtwDHTVa2BPVc7sIviDN6TKYjCdOBzu
        bdZP3GHf8GsBXRqZslGI+T3U/XKfO3tYrOo2bOO9ZqJjt9ejXHE40UrPw==
X-ME-Sender: <xms:CGXGYxNkJmywlUCvR2d8GV-9BqrrCACcfT6QRJbQ4rilStP_kOseqQ>
    <xme:CGXGYz_Ku41BPKqwMzIutVvTaLJaJL2oHaX02wQU9B99t4Q6WCEpi5ErMifa2A0W6
    fhhZYvrn_2NkOAFW5M>
X-ME-Received: 
 <xmr:CGXGYwQPHhyiu7OImQ9QnFZ1ixp2mD4fKajlhkTIq-m4lM6_jHPakO5eTM25IGrun1caWKRaBCKMElQ56GL0aJMqjsBtcst8MKeC-7mnmRuFcHMBt3ZFm_Y>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgedvhedruddthedgudefudcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvvefufffkofgjfhgggfestd
    ekredtredttdenucfhrhhomhepvfgrkhgrshhhihcuufgrkhgrmhhothhouceoohdqthgr
    khgrshhhihesshgrkhgrmhhotggthhhirdhjpheqnecuggftrfgrthhtvghrnhepvdejgf
    ejuedvgfduudekleevtefgtdevhfdtffefiefgveeuteffiedvffekvddtnecuvehluhhs
    thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepohdqthgrkhgrshhhih
    esshgrkhgrmhhotggthhhirdhjph
X-ME-Proxy: <xmx:CGXGY9to3Y48oTmuRfGeZcNC3Qi-EFR0UBH7-X11-P8Yeq_76QoxJw>
    <xmx:CGXGY5cropCq127Ut5Af_sQjlQcP8Kp6fxV1uzb2yVUPOG3nwAMgew>
    <xmx:CGXGY53VUOpuAlAuoypPc5HDhyxoUNHloQI2HmEnzAm1ZWPwP5GBIA>
    <xmx:CGXGY95xcbGvPITu_u_qmCGOtgSPI8PEZ3fG3f9ViNq6ON3V4Pp-IQ>
Feedback-ID: ie8e14432:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue,
 17 Jan 2023 04:06:15 -0500 (EST)
From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
To: tiwai@suse.de
Cc: linux1394-devel@lists.sourceforge.net,
        linux-kernel@vger.kernel.org, alsa-devel@alsa-project.org,
        stable@vger.kernel.org
Subject: [PATCH 1/1] firewire: fix memory leak for payload of request
 subaction to IEC 61883-1 FCP region
Date: Tue, 17 Jan 2023 18:06:10 +0900
Message-Id: <20230117090610.93792-2-o-takashi@sakamocchi.jp>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <20230117090610.93792-1-o-takashi@sakamocchi.jp>
References: <20230117090610.93792-1-o-takashi@sakamocchi.jp>
MIME-Version: 1.0
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1755260831956461894?=
X-GMAIL-MSGID: =?utf-8?q?1755260834373436489?=

This patch is fix for Linux kernel v2.6.33 or later.

For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem
have had an issue of use-after-free. The subsystem allows multiple
user space listeners to the region, while data of the payload was likely
released before the listeners execute read(2) to access to it for copying
to user space.

The issue was fixed by a commit 281e20323ab7 ("firewire: core: fix
use-after-free regression in FCP handler"). The object of payload is
duplicated in kernel space for each listener. When the listener executes
ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to
be released.

However, it causes memory leak since the commit relies on call of
release_request() in drivers/firewire/core-cdev.c. Against the
expectation, the function is never called due to the design of
release_client_resource(). The function delegates release task
to caller when called with non-NULL fourth argument. The implementation
of ioctl_send_response() is the case. It should release the object
explicitly.

This commit fixes the bug.

Cc: <stable@vger.kernel.org>
Fixes: 281e20323ab7 ("firewire: core: fix use-after-free regression in FCP handler")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
---
 drivers/firewire/core-cdev.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 9c89f7d53e99..958aa4662ccb 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -819,8 +819,10 @@ static int ioctl_send_response(struct client *client, union ioctl_arg *arg)
 
 	r = container_of(resource, struct inbound_transaction_resource,
 			 resource);
-	if (is_fcp_request(r->request))
+	if (is_fcp_request(r->request)) {
+		kfree(r->data);
 		goto out;
+	}
 
 	if (a->length != fw_get_response_length(r->request)) {
 		ret = -EINVAL;