2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-25 13:43:55 +08:00
linux-next/drivers/media
Shuah Khan 5b28dde51d [media] media: fix use-after-free in cdev_put() when app exits after driver unbind
When driver unbinds while media_ioctl is in progress, cdev_put() fails with
when app exits after driver unbinds.

Add devnode struct device kobj as the cdev parent kobject. cdev_add() gets
a reference to it and releases it in cdev_del() ensuring that the devnode
is not deallocated as long as the application has the device file open.

media_devnode_register() initializes the struct device kobj before calling
cdev_add(). media_devnode_unregister() does cdev_del() and then deletes the
device. devnode is released when the last reference to the struct device is
gone.

This problem is found on uvcvideo, em28xx, and au0828 drivers and fix has
been tested on all three.

kernel: [  193.599736] BUG: KASAN: use-after-free in cdev_put+0x4e/0x50
kernel: [  193.599745] Read of size 8 by task media_device_te/1851
kernel: [  193.599792] INFO: Allocated in __media_device_register+0x54
kernel: [  193.599951] INFO: Freed in media_devnode_release+0xa4/0xc0

kernel: [  193.601083] Call Trace:
kernel: [  193.601093]  [<ffffffff81aecac3>] dump_stack+0x67/0x94
kernel: [  193.601102]  [<ffffffff815359b2>] print_trailer+0x112/0x1a0
kernel: [  193.601111]  [<ffffffff8153b5e4>] object_err+0x34/0x40
kernel: [  193.601119]  [<ffffffff8153d9d4>] kasan_report_error+0x224/0x530
kernel: [  193.601128]  [<ffffffff814a2c3d>] ? kzfree+0x2d/0x40
kernel: [  193.601137]  [<ffffffff81539d72>] ? kfree+0x1d2/0x1f0
kernel: [  193.601154]  [<ffffffff8157ca7e>] ? cdev_put+0x4e/0x50
kernel: [  193.601162]  [<ffffffff8157ca7e>] cdev_put+0x4e/0x50
kernel: [  193.601170]  [<ffffffff815767eb>] __fput+0x52b/0x6c0
kernel: [  193.601179]  [<ffffffff8117743a>] ? switch_task_namespaces+0x2a
kernel: [  193.601188]  [<ffffffff815769ee>] ____fput+0xe/0x10
kernel: [  193.601196]  [<ffffffff81170023>] task_work_run+0x133/0x1f0
kernel: [  193.601204]  [<ffffffff8117746e>] ? switch_task_namespaces+0x5e
kernel: [  193.601213]  [<ffffffff8111b50c>] do_exit+0x72c/0x2c20
kernel: [  193.601224]  [<ffffffff8111ade0>] ? release_task+0x1250/0x1250
-
-
-
kernel: [  193.601360]  [<ffffffff81003587>] ? exit_to_usermode_loop+0xe7
kernel: [  193.601368]  [<ffffffff810035c0>] exit_to_usermode_loop+0x120
kernel: [  193.601376]  [<ffffffff810061da>] syscall_return_slowpath+0x16a
kernel: [  193.601386]  [<ffffffff82848b33>] entry_SYSCALL_64_fastpath+0xa6

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-06-15 17:58:06 -03:00
..
common [media] tpg: Export the tpg code from vivid as a module 2016-04-20 16:14:39 -03:00
dvb-core [media] drivers/media/dvb-core/en50221: move code to dvb_ca_private_free() 2016-06-07 17:14:43 -03:00
dvb-frontends [media] m88rs2000: initialize status to zero 2016-06-10 08:41:36 -03:00
firewire [media] dvb: modify core to implement interfaces/entities at MC new gen 2016-01-11 12:18:52 -02:00
i2c remove lots of IS_ERR_VALUE abuses 2016-05-27 15:26:11 -07:00
mmc [media] siano: register media controller earlier 2015-02-26 09:10:39 -03:00
pci [media] Change frontend allocation strategy for NetUP Universal DVB cards 2016-06-07 12:16:37 -03:00
platform [media] s5p-mfc: fix a typo in s5p_mfc_dec 2016-06-07 13:03:52 -03:00
radio [media] tea575x: convert to library 2016-02-10 09:34:28 -02:00
rc [media] drivers/media/rc: postpone kfree(rc_dev) 2016-05-07 11:21:04 -03:00
tuners [media] mt2063: use lib gcd 2016-06-09 15:58:32 -03:00
usb [media] media-device: dynamically allocate struct media_devnode 2016-06-15 17:57:24 -03:00
v4l2-core Update my main e-mails at the Kernel tree 2016-06-14 14:55:18 -03:00
Kconfig [media] Kconfig: Re-enable Media controller support for DVB 2016-01-11 12:18:40 -02:00
Makefile [media] bq/c-qcam, w9966, pms: move to staging in preparation for removal 2014-12-16 23:21:44 -02:00
media-device.c [media] media: fix use-after-free in cdev_put() when app exits after driver unbind 2016-06-15 17:58:06 -03:00
media-devnode.c [media] media: fix use-after-free in cdev_put() when app exits after driver unbind 2016-06-15 17:58:06 -03:00
media-entity.c [media] media: change pipeline validation return error 2016-04-29 08:07:17 -03:00