korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-15 08:14:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
8dfbcc4351
linux/drivers/media/tuners
History
Mauro Carvalho Chehab 8dfbcc4351 [media] xc2028: avoid use after free 
If struct xc2028_config is passed without a firmware name,
the following trouble may happen:

[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
[11009.907491] ==================================================================
[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
[11009.907992] Read of size 1 by task modprobe/28992
[11009.907994] =============================================================================
[11009.907997] BUG kmalloc-16 (Tainted: G        W      ): kasan: bad access detected
[11009.907999] -----------------------------------------------------------------------------

[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
[11009.908012] 	___slab_alloc+0x581/0x5b0
[11009.908014] 	__slab_alloc+0x51/0x90
[11009.908017] 	__kmalloc+0x27b/0x350
[11009.908022] 	xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
[11009.908026] 	usb_hcd_submit_urb+0x1e8/0x1c60
[11009.908029] 	usb_submit_urb+0xb0e/0x1200
[11009.908032] 	usb_serial_generic_write_start+0xb6/0x4c0
[11009.908035] 	usb_serial_generic_write+0x92/0xc0
[11009.908039] 	usb_console_write+0x38a/0x560
[11009.908045] 	call_console_drivers.constprop.14+0x1ee/0x2c0
[11009.908051] 	console_unlock+0x40d/0x900
[11009.908056] 	vprintk_emit+0x4b4/0x830
[11009.908061] 	vprintk_default+0x1f/0x30
[11009.908064] 	printk+0x99/0xb5
[11009.908067] 	kasan_report_error+0x10a/0x550
[11009.908070] 	__asan_report_load1_noabort+0x43/0x50
[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
[11009.908077] 	__slab_free+0x2ec/0x460
[11009.908080] 	kfree+0x266/0x280
[11009.908083] 	xc2028_set_config+0x90/0x630 [tuner_xc2028]
[11009.908086] 	xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908090] 	em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908094] 	em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908098] 	em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908101] 	em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908105] 	em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908108] 	do_one_initcall+0x141/0x300
[11009.908111] 	do_init_module+0x1d0/0x5ad
[11009.908114] 	load_module+0x6666/0x9ba0
[11009.908117] 	SyS_finit_module+0x108/0x130
[11009.908120] 	entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x          (null) flags=0x2ffff8000004080
[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001

[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00  ....*....(......
[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff  ...........j....
[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G    B   W       4.5.0-rc1+ #43
[11009.908140] Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[11009.908142]  ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
[11009.908148]  ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
[11009.908153]  ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
[11009.908158] Call Trace:
[11009.908162]  [<ffffffff81932007>] dump_stack+0x4b/0x64
[11009.908165]  [<ffffffff81556759>] print_trailer+0xf9/0x150
[11009.908168]  [<ffffffff8155ccb4>] object_err+0x34/0x40
[11009.908171]  [<ffffffff8155f260>] kasan_report_error+0x230/0x550
[11009.908175]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908179]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908182]  [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
[11009.908185]  [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
[11009.908189]  [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
[11009.908192]  [<ffffffff8194cea6>] strcmp+0x96/0xb0
[11009.908196]  [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
[11009.908200]  [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908203]  [<ffffffff8155ea78>] ? memset+0x28/0x30
[11009.908206]  [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
[11009.908211]  [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908215]  [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
[11009.908219]  [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
[11009.908222]  [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
[11009.908226]  [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
[11009.908230]  [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
[11009.908233]  [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
[11009.908238]  [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908242]  [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
[11009.908245]  [<ffffffff8195222d>] ? string+0x14d/0x1f0
[11009.908249]  [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
[11009.908253]  [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
[11009.908257]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908260]  [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
[11009.908264]  [<ffffffff812e9846>] ? __module_address+0xb6/0x360
[11009.908268]  [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
[11009.908271]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908275]  [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
[11009.908278]  [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
[11009.908282]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908285]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908289]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908292]  [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
[11009.908296]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908299]  [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
[11009.908302]  [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[11009.908306]  [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
[11009.908309]  [<ffffffff8159e708>] ? put_object+0x48/0x70
[11009.908314]  [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908317]  [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908320]  [<ffffffffa0150000>] ? 0xffffffffa0150000
[11009.908324]  [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908327]  [<ffffffff810021b1>] do_one_initcall+0x141/0x300
[11009.908330]  [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[11009.908333]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908337]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908340]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908343]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908346]  [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
[11009.908350]  [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
[11009.908353]  [<ffffffff812f2626>] load_module+0x6666/0x9ba0
[11009.908356]  [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
[11009.908361]  [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
[11009.908366]  [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
[11009.908369]  [<ffffffff815bc940>] ? open_exec+0x50/0x50
[11009.908374]  [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
[11009.908377]  [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
[11009.908379]  [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
[11009.908383]  [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[11009.908394]  [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908396] Memory state around the buggy address:
[11009.908398]  ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908401]  ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[11009.908405]                                            ^
[11009.908407]  ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908409]  ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908411] ==================================================================

In order to avoid it, let's set the cached value of the firmware
name to NULL after freeing it. While here, return an error if
the memory allocation fails.

Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
2016-02-01 07:16:18 -02:00
..
e4000_priv.h [media] e4000: implement V4L2 subdevice tuner and core ops 2015-05-20 13:49:27 -03:00
e4000.c [media] tuners: Drop owner assignment from i2c_driver 2015-08-11 13:01:32 -03:00
e4000.h [media] e4000: various small changes 2015-05-20 13:48:31 -03:00
fc001x-common.h
fc0011.c Revert "[media] fc0011: Return early, if the frequency is already tuned" 2013-02-11 19:38:59 -02:00
fc0011.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
fc0012-priv.h [media] fc0012: use Kernel dev_foo() logging 2013-01-06 09:08:23 -02:00
fc0012.c [media] fc001[23]: Change variable type to bool 2013-10-02 06:48:14 -03:00
fc0012.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
fc0013-priv.h
fc0013.c [media] fc0013: remove unneeded test 2015-05-14 18:06:40 -03:00
fc0013.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
fc2580_priv.h [media] fc2580: implement V4L2 subdevice for SDR control 2015-05-18 15:58:10 -03:00
fc2580.c [media] tuners: Drop owner assignment from i2c_driver 2015-08-11 13:01:32 -03:00
fc2580.h [media] fc2580: implement V4L2 subdevice for SDR control 2015-05-18 15:58:10 -03:00
it913x.c [media] tuners: Drop owner assignment from i2c_driver 2015-08-11 13:01:32 -03:00
it913x.h [media] it913x: re-implement sleep 2014-09-21 18:24:32 -03:00
Kconfig [media] tuners: Make all TV tuners visible if COMPILE_TEST=y 2015-08-11 12:56:40 -03:00
m88rs6000t.c [media] tuners: Refactoring for m88rs6000t_sleep() 2016-01-25 15:15:38 -02:00
m88rs6000t.h [media] m88rs6000t: add new dvb-s/s2 tuner for integrated chip M88RS6000 2014-11-03 18:23:43 -02:00
Makefile [media] m88ts2022: remove from Makefile 2015-04-07 08:12:06 -03:00
max2165_priv.h
max2165.c [media] tv tuner max2165 driver: extend frequency range 2015-11-19 11:19:42 -02:00
max2165.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mc44s803_priv.h
mc44s803.c [media] mc44s803: implement get_if_frequency() 2012-09-18 12:54:44 -03:00
mc44s803.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
msi001.c spi: Drop owner assignment from spi_drivers 2015-10-28 10:30:17 +09:00
mt20xx.c [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
mt20xx.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mt2060_priv.h
mt2060.c [media] mt2060: just return 0 instead of using a var 2014-09-03 17:59:56 -03:00
mt2060.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mt2063.c [media] dvb_frontend: get rid of set_state ops & related data 2015-11-17 06:46:02 -02:00
mt2063.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mt2131_priv.h [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
mt2131.c [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
mt2131.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mt2266.c
mt2266.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mxl301rf.c [media] mxl301rf: add driver for MaxLinear MxL301RF OFDM tuner 2014-09-23 17:03:59 -03:00
mxl301rf.h [media] mxl301rf: add driver for MaxLinear MxL301RF OFDM tuner 2014-09-23 17:03:59 -03:00
mxl5005s.c [media] mxl5005s: just return 0 instead of using a var 2014-09-03 17:59:56 -03:00
mxl5005s.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
mxl5007t.c [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
mxl5007t.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
qm1d1c0042.c [media] qm1d1c0042: fix compilation on 32 bits 2014-09-26 06:47:42 -03:00
qm1d1c0042.h [media] qm1d1c0042: add driver for Sharp QM1D1C0042 ISDB-S tuner 2014-09-23 17:04:00 -03:00
qt1010_priv.h
qt1010.c [media] qt1010: avoid going past array 2015-04-30 14:57:35 -03:00
qt1010.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
r820t.c [media] r820t: Delete an unnecessary variable initialisation in generic_set_freq() 2016-01-25 15:15:39 -02:00
r820t.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
si2157_priv.h [media] si2157: implement signal strength stats 2015-06-05 06:33:45 -03:00
si2157.c [media] si2157: return -EINVAL if firmware blob is too big 2015-11-19 08:39:52 -02:00
si2157.h [media] si2157: support selection of IF interface 2015-05-12 13:20:55 -03:00
tda827x.c [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
tda827x.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tda8290.c [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
tda8290.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tda9887.c [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
tda9887.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tda18212.c [media] tuners: Drop owner assignment from i2c_driver 2015-08-11 13:01:32 -03:00
tda18212.h [media] tda18212: convert driver to I2C binding 2014-09-21 20:04:55 -03:00
tda18218_priv.h [media] tda18218: switch to Kernel logging 2012-09-15 09:23:16 -03:00
tda18218.c [media] tuners: Don't use dynamic static allocation 2013-11-08 09:45:41 -02:00
tda18218.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tda18271-common.c [media] tda18271: Fix identation 2014-12-04 13:55:05 -02:00
tda18271-fe.c [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
tda18271-maps.c [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
tda18271-priv.h [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
tda18271.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tea5761.c
tea5761.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tea5767.c
tea5767.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tua9001_priv.h [media] tua9001: use div_u64() for frequency calculation 2015-05-18 15:55:14 -03:00
tua9001.c [media] tuners: Drop owner assignment from i2c_driver 2015-08-11 13:01:32 -03:00
tua9001.h [media] tua9001: various minor changes 2015-05-18 15:54:02 -03:00
tuner-i2c.h [media] tuner-i2c: be consistent with I2C declaration 2015-06-23 10:01:45 -03:00
tuner-simple.c [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
tuner-simple.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
tuner-types.c [media] tuner: add Sony BTF tuners 2013-03-24 12:11:35 -03:00
tuner-xc2028-types.h [media] media_tree: Fix spelling errors 2013-11-29 14:43:50 -02:00
tuner-xc2028.c [media] xc2028: avoid use after free 2016-02-01 07:16:18 -02:00
tuner-xc2028.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
xc4000.c [media] xc4000: Fix bad alignments 2014-09-03 18:42:09 -03:00
xc4000.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00
xc5000.c [media] xc5000: fix memory corruption when unplugging device 2015-04-08 14:49:59 -03:00
xc5000.h [media] Add and use IS_REACHABLE macro 2015-04-08 15:02:07 -03:00