linux/drivers/media/mc/mc-request.c
Tuomas Tynkkynen e30cc79cc8 media: media-request: Fix crash if memory allocation fails
Syzbot reports a NULL-ptr deref in the kref_put() call:

BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline]
 kref_put include/linux/kref.h:64 [inline]
 media_request_put drivers/media/mc/mc-request.c:81 [inline]
 media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89
 __fput+0x2ed/0x750 fs/file_table.c:281
 task_work_run+0x147/0x1d0 kernel/task_work.c:123
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:165 [inline]
 prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196

What led to this crash was an injected memory allocation failure in
media_request_alloc():

FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
 should_failslab+0x5/0x20
 kmem_cache_alloc_trace+0x57/0x300
 ? anon_inode_getfile+0xe5/0x170
 media_request_alloc+0x339/0x440
 media_device_request_alloc+0x94/0xc0
 media_device_ioctl+0x1fb/0x330
 ? do_vfs_ioctl+0x6ea/0x1a00
 ? media_ioctl+0x101/0x120
 ? __media_device_usb_init+0x430/0x430
 ? media_poll+0x110/0x110
 __se_sys_ioctl+0xf9/0x160
 do_syscall_64+0xf3/0x1b0

When that allocation fails, filp->private_data is left uninitialized
which media_request_close() does not expect and crashes.

To avoid this, reorder media_request_alloc() such that
allocating the struct file happens as the last step thus
media_request_close() will no longer get called for a partially created
media request.

Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Fixes: 10905d70d7 ("media: media-request: implement media requests")
Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
2020-06-23 15:19:37 +02:00

507 lines
12 KiB
C

// SPDX-License-Identifier: GPL-2.0
/*
* Media device request objects
*
* Copyright 2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
* Copyright (C) 2018 Intel Corporation
* Copyright (C) 2018 Google, Inc.
*
* Author: Hans Verkuil <hans.verkuil@cisco.com>
* Author: Sakari Ailus <sakari.ailus@linux.intel.com>
*/
#include <linux/anon_inodes.h>
#include <linux/file.h>
#include <linux/refcount.h>
#include <media/media-device.h>
#include <media/media-request.h>
static const char * const request_state[] = {
[MEDIA_REQUEST_STATE_IDLE] = "idle",
[MEDIA_REQUEST_STATE_VALIDATING] = "validating",
[MEDIA_REQUEST_STATE_QUEUED] = "queued",
[MEDIA_REQUEST_STATE_COMPLETE] = "complete",
[MEDIA_REQUEST_STATE_CLEANING] = "cleaning",
[MEDIA_REQUEST_STATE_UPDATING] = "updating",
};
static const char *
media_request_state_str(enum media_request_state state)
{
BUILD_BUG_ON(ARRAY_SIZE(request_state) != NR_OF_MEDIA_REQUEST_STATE);
if (WARN_ON(state >= ARRAY_SIZE(request_state)))
return "invalid";
return request_state[state];
}
static void media_request_clean(struct media_request *req)
{
struct media_request_object *obj, *obj_safe;
/* Just a sanity check. No other code path is allowed to change this. */
WARN_ON(req->state != MEDIA_REQUEST_STATE_CLEANING);
WARN_ON(req->updating_count);
WARN_ON(req->access_count);
list_for_each_entry_safe(obj, obj_safe, &req->objects, list) {
media_request_object_unbind(obj);
media_request_object_put(obj);
}
req->updating_count = 0;
req->access_count = 0;
WARN_ON(req->num_incomplete_objects);
req->num_incomplete_objects = 0;
wake_up_interruptible_all(&req->poll_wait);
}
static void media_request_release(struct kref *kref)
{
struct media_request *req =
container_of(kref, struct media_request, kref);
struct media_device *mdev = req->mdev;
dev_dbg(mdev->dev, "request: release %s\n", req->debug_str);
/* No other users, no need for a spinlock */
req->state = MEDIA_REQUEST_STATE_CLEANING;
media_request_clean(req);
if (mdev->ops->req_free)
mdev->ops->req_free(req);
else
kfree(req);
}
void media_request_put(struct media_request *req)
{
kref_put(&req->kref, media_request_release);
}
EXPORT_SYMBOL_GPL(media_request_put);
static int media_request_close(struct inode *inode, struct file *filp)
{
struct media_request *req = filp->private_data;
media_request_put(req);
return 0;
}
static __poll_t media_request_poll(struct file *filp,
struct poll_table_struct *wait)
{
struct media_request *req = filp->private_data;
unsigned long flags;
__poll_t ret = 0;
if (!(poll_requested_events(wait) & EPOLLPRI))
return 0;
poll_wait(filp, &req->poll_wait, wait);
spin_lock_irqsave(&req->lock, flags);
if (req->state == MEDIA_REQUEST_STATE_COMPLETE) {
ret = EPOLLPRI;
goto unlock;
}
if (req->state != MEDIA_REQUEST_STATE_QUEUED) {
ret = EPOLLERR;
goto unlock;
}
unlock:
spin_unlock_irqrestore(&req->lock, flags);
return ret;
}
static long media_request_ioctl_queue(struct media_request *req)
{
struct media_device *mdev = req->mdev;
enum media_request_state state;
unsigned long flags;
int ret;
dev_dbg(mdev->dev, "request: queue %s\n", req->debug_str);
/*
* Ensure the request that is validated will be the one that gets queued
* next by serialising the queueing process. This mutex is also used
* to serialize with canceling a vb2 queue and with setting values such
* as controls in a request.
*/
mutex_lock(&mdev->req_queue_mutex);
media_request_get(req);
spin_lock_irqsave(&req->lock, flags);
if (req->state == MEDIA_REQUEST_STATE_IDLE)
req->state = MEDIA_REQUEST_STATE_VALIDATING;
state = req->state;
spin_unlock_irqrestore(&req->lock, flags);
if (state != MEDIA_REQUEST_STATE_VALIDATING) {
dev_dbg(mdev->dev,
"request: unable to queue %s, request in state %s\n",
req->debug_str, media_request_state_str(state));
media_request_put(req);
mutex_unlock(&mdev->req_queue_mutex);
return -EBUSY;
}
ret = mdev->ops->req_validate(req);
/*
* If the req_validate was successful, then we mark the state as QUEUED
* and call req_queue. The reason we set the state first is that this
* allows req_queue to unbind or complete the queued objects in case
* they are immediately 'consumed'. State changes from QUEUED to another
* state can only happen if either the driver changes the state or if
* the user cancels the vb2 queue. The driver can only change the state
* after each object is queued through the req_queue op (and note that
* that op cannot fail), so setting the state to QUEUED up front is
* safe.
*
* The other reason for changing the state is if the vb2 queue is
* canceled, and that uses the req_queue_mutex which is still locked
* while req_queue is called, so that's safe as well.
*/
spin_lock_irqsave(&req->lock, flags);
req->state = ret ? MEDIA_REQUEST_STATE_IDLE
: MEDIA_REQUEST_STATE_QUEUED;
spin_unlock_irqrestore(&req->lock, flags);
if (!ret)
mdev->ops->req_queue(req);
mutex_unlock(&mdev->req_queue_mutex);
if (ret) {
dev_dbg(mdev->dev, "request: can't queue %s (%d)\n",
req->debug_str, ret);
media_request_put(req);
}
return ret;
}
static long media_request_ioctl_reinit(struct media_request *req)
{
struct media_device *mdev = req->mdev;
unsigned long flags;
spin_lock_irqsave(&req->lock, flags);
if (req->state != MEDIA_REQUEST_STATE_IDLE &&
req->state != MEDIA_REQUEST_STATE_COMPLETE) {
dev_dbg(mdev->dev,
"request: %s not in idle or complete state, cannot reinit\n",
req->debug_str);
spin_unlock_irqrestore(&req->lock, flags);
return -EBUSY;
}
if (req->access_count) {
dev_dbg(mdev->dev,
"request: %s is being accessed, cannot reinit\n",
req->debug_str);
spin_unlock_irqrestore(&req->lock, flags);
return -EBUSY;
}
req->state = MEDIA_REQUEST_STATE_CLEANING;
spin_unlock_irqrestore(&req->lock, flags);
media_request_clean(req);
spin_lock_irqsave(&req->lock, flags);
req->state = MEDIA_REQUEST_STATE_IDLE;
spin_unlock_irqrestore(&req->lock, flags);
return 0;
}
static long media_request_ioctl(struct file *filp, unsigned int cmd,
unsigned long arg)
{
struct media_request *req = filp->private_data;
switch (cmd) {
case MEDIA_REQUEST_IOC_QUEUE:
return media_request_ioctl_queue(req);
case MEDIA_REQUEST_IOC_REINIT:
return media_request_ioctl_reinit(req);
default:
return -ENOIOCTLCMD;
}
}
static const struct file_operations request_fops = {
.owner = THIS_MODULE,
.poll = media_request_poll,
.unlocked_ioctl = media_request_ioctl,
#ifdef CONFIG_COMPAT
.compat_ioctl = media_request_ioctl,
#endif /* CONFIG_COMPAT */
.release = media_request_close,
};
struct media_request *
media_request_get_by_fd(struct media_device *mdev, int request_fd)
{
struct fd f;
struct media_request *req;
if (!mdev || !mdev->ops ||
!mdev->ops->req_validate || !mdev->ops->req_queue)
return ERR_PTR(-EBADR);
f = fdget(request_fd);
if (!f.file)
goto err_no_req_fd;
if (f.file->f_op != &request_fops)
goto err_fput;
req = f.file->private_data;
if (req->mdev != mdev)
goto err_fput;
/*
* Note: as long as someone has an open filehandle of the request,
* the request can never be released. The fdget() above ensures that
* even if userspace closes the request filehandle, the release()
* fop won't be called, so the media_request_get() always succeeds
* and there is no race condition where the request was released
* before media_request_get() is called.
*/
media_request_get(req);
fdput(f);
return req;
err_fput:
fdput(f);
err_no_req_fd:
dev_dbg(mdev->dev, "cannot find request_fd %d\n", request_fd);
return ERR_PTR(-EINVAL);
}
EXPORT_SYMBOL_GPL(media_request_get_by_fd);
int media_request_alloc(struct media_device *mdev, int *alloc_fd)
{
struct media_request *req;
struct file *filp;
int fd;
int ret;
/* Either both are NULL or both are non-NULL */
if (WARN_ON(!mdev->ops->req_alloc ^ !mdev->ops->req_free))
return -ENOMEM;
if (mdev->ops->req_alloc)
req = mdev->ops->req_alloc(mdev);
else
req = kzalloc(sizeof(*req), GFP_KERNEL);
if (!req)
return -ENOMEM;
fd = get_unused_fd_flags(O_CLOEXEC);
if (fd < 0) {
ret = fd;
goto err_free_req;
}
filp = anon_inode_getfile("request", &request_fops, NULL, O_CLOEXEC);
if (IS_ERR(filp)) {
ret = PTR_ERR(filp);
goto err_put_fd;
}
filp->private_data = req;
req->mdev = mdev;
req->state = MEDIA_REQUEST_STATE_IDLE;
req->num_incomplete_objects = 0;
kref_init(&req->kref);
INIT_LIST_HEAD(&req->objects);
spin_lock_init(&req->lock);
init_waitqueue_head(&req->poll_wait);
req->updating_count = 0;
req->access_count = 0;
*alloc_fd = fd;
snprintf(req->debug_str, sizeof(req->debug_str), "%u:%d",
atomic_inc_return(&mdev->request_id), fd);
dev_dbg(mdev->dev, "request: allocated %s\n", req->debug_str);
fd_install(fd, filp);
return 0;
err_put_fd:
put_unused_fd(fd);
err_free_req:
if (mdev->ops->req_free)
mdev->ops->req_free(req);
else
kfree(req);
return ret;
}
static void media_request_object_release(struct kref *kref)
{
struct media_request_object *obj =
container_of(kref, struct media_request_object, kref);
struct media_request *req = obj->req;
if (WARN_ON(req))
media_request_object_unbind(obj);
obj->ops->release(obj);
}
struct media_request_object *
media_request_object_find(struct media_request *req,
const struct media_request_object_ops *ops,
void *priv)
{
struct media_request_object *obj;
struct media_request_object *found = NULL;
unsigned long flags;
if (WARN_ON(!ops || !priv))
return NULL;
spin_lock_irqsave(&req->lock, flags);
list_for_each_entry(obj, &req->objects, list) {
if (obj->ops == ops && obj->priv == priv) {
media_request_object_get(obj);
found = obj;
break;
}
}
spin_unlock_irqrestore(&req->lock, flags);
return found;
}
EXPORT_SYMBOL_GPL(media_request_object_find);
void media_request_object_put(struct media_request_object *obj)
{
kref_put(&obj->kref, media_request_object_release);
}
EXPORT_SYMBOL_GPL(media_request_object_put);
void media_request_object_init(struct media_request_object *obj)
{
obj->ops = NULL;
obj->req = NULL;
obj->priv = NULL;
obj->completed = false;
INIT_LIST_HEAD(&obj->list);
kref_init(&obj->kref);
}
EXPORT_SYMBOL_GPL(media_request_object_init);
int media_request_object_bind(struct media_request *req,
const struct media_request_object_ops *ops,
void *priv, bool is_buffer,
struct media_request_object *obj)
{
unsigned long flags;
int ret = -EBUSY;
if (WARN_ON(!ops->release))
return -EBADR;
spin_lock_irqsave(&req->lock, flags);
if (WARN_ON(req->state != MEDIA_REQUEST_STATE_UPDATING))
goto unlock;
obj->req = req;
obj->ops = ops;
obj->priv = priv;
if (is_buffer)
list_add_tail(&obj->list, &req->objects);
else
list_add(&obj->list, &req->objects);
req->num_incomplete_objects++;
ret = 0;
unlock:
spin_unlock_irqrestore(&req->lock, flags);
return ret;
}
EXPORT_SYMBOL_GPL(media_request_object_bind);
void media_request_object_unbind(struct media_request_object *obj)
{
struct media_request *req = obj->req;
unsigned long flags;
bool completed = false;
if (WARN_ON(!req))
return;
spin_lock_irqsave(&req->lock, flags);
list_del(&obj->list);
obj->req = NULL;
if (req->state == MEDIA_REQUEST_STATE_COMPLETE)
goto unlock;
if (WARN_ON(req->state == MEDIA_REQUEST_STATE_VALIDATING))
goto unlock;
if (req->state == MEDIA_REQUEST_STATE_CLEANING) {
if (!obj->completed)
req->num_incomplete_objects--;
goto unlock;
}
if (WARN_ON(!req->num_incomplete_objects))
goto unlock;
req->num_incomplete_objects--;
if (req->state == MEDIA_REQUEST_STATE_QUEUED &&
!req->num_incomplete_objects) {
req->state = MEDIA_REQUEST_STATE_COMPLETE;
completed = true;
wake_up_interruptible_all(&req->poll_wait);
}
unlock:
spin_unlock_irqrestore(&req->lock, flags);
if (obj->ops->unbind)
obj->ops->unbind(obj);
if (completed)
media_request_put(req);
}
EXPORT_SYMBOL_GPL(media_request_object_unbind);
void media_request_object_complete(struct media_request_object *obj)
{
struct media_request *req = obj->req;
unsigned long flags;
bool completed = false;
spin_lock_irqsave(&req->lock, flags);
if (obj->completed)
goto unlock;
obj->completed = true;
if (WARN_ON(!req->num_incomplete_objects) ||
WARN_ON(req->state != MEDIA_REQUEST_STATE_QUEUED))
goto unlock;
if (!--req->num_incomplete_objects) {
req->state = MEDIA_REQUEST_STATE_COMPLETE;
wake_up_interruptible_all(&req->poll_wait);
completed = true;
}
unlock:
spin_unlock_irqrestore(&req->lock, flags);
if (completed)
media_request_put(req);
}
EXPORT_SYMBOL_GPL(media_request_object_complete);