projects / platform / kernel / linux-starfive.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 305262a)
media: saa7134: fix use after free bug in saa7134_finidev due to race condition
authorZheng Wang <zyytlz.wz@163.com>
Sat, 18 Mar 2023 08:50:23 +0000 (16:50 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 11 May 2023 14:03:15 +0000 (23:03 +0900)
[ Upstream commit 30cf57da176cca80f11df0d9b7f71581fe601389 ]

In saa7134_initdev, it will call saa7134_hwinit1. There are three
function invoking here: saa7134_video_init1, saa7134_ts_init1
and saa7134_vbi_init1.

All of them will init a timer with same function. Take
saa7134_video_init1 as an example. It'll bound &dev->video_q.timeout
with saa7134_buffer_timeout.

In buffer_activate, the timer funtcion is started.

If we remove the module or device which will call saa7134_finidev
to make cleanup, there may be a unfinished work. The
possible sequence is as follows, which will cause a
typical UAF bug.

Fix it by canceling the timer works accordingly before cleanup in
saa7134_finidev.

CPU0                  CPU1

                    |saa7134_buffer_timeout
saa7134_finidev     |
  kfree(dev);       |
                    |
                    | saa7134_buffer_next
                    | //use dev

Fixes: 1e7126b4a86a ("media: saa7134: Convert timers to use timer_setup()")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/media/pci/saa7134/saa7134-ts.c patch | blob | history
drivers/media/pci/saa7134/saa7134-vbi.c patch | blob | history
drivers/media/pci/saa7134/saa7134-video.c patch | blob | history

diff --git a/drivers/media/pci/saa7134/saa7134-ts.c b/drivers/media/pci/saa7134/saa7134-ts.c
index 6a5053126237f455da079a4fa1ef5a2bc42286c2..437dbe5e75e2975a370a99f14f9aeb9fb5658b96 100644 (file)
--- a/drivers/media/pci/saa7134/saa7134-ts.c
+++ b/drivers/media/pci/saa7134/saa7134-ts.c
@@ -300,6 +300,7 @@ int saa7134_ts_start(struct saa7134_dev *dev)
 
 int saa7134_ts_fini(struct saa7134_dev *dev)
 {
+       del_timer_sync(&dev->ts_q.timeout);
        saa7134_pgtable_free(dev->pci, &dev->ts_q.pt);
        return 0;
 }
diff --git a/drivers/media/pci/saa7134/saa7134-vbi.c b/drivers/media/pci/saa7134/saa7134-vbi.c
index 3f0b0933eed69e9bbffbcc5f822d95b775191965..3e773690468bdb935d0a2ada46ef9a7f9da23e8d 100644 (file)
--- a/drivers/media/pci/saa7134/saa7134-vbi.c
+++ b/drivers/media/pci/saa7134/saa7134-vbi.c
@@ -185,6 +185,7 @@ int saa7134_vbi_init1(struct saa7134_dev *dev)
 int saa7134_vbi_fini(struct saa7134_dev *dev)
 {
        /* nothing */
+       del_timer_sync(&dev->vbi_q.timeout);
        return 0;
 }
 
diff --git a/drivers/media/pci/saa7134/saa7134-video.c b/drivers/media/pci/saa7134/saa7134-video.c
index 4d8974c9fcc984d7fb64e6f5facc4c692918453a..29124756a62bc32360683d3006b309319e6be05f 100644 (file)
--- a/drivers/media/pci/saa7134/saa7134-video.c
+++ b/drivers/media/pci/saa7134/saa7134-video.c
@@ -2146,6 +2146,7 @@ int saa7134_video_init1(struct saa7134_dev *dev)
 
 void saa7134_video_fini(struct saa7134_dev *dev)
 {
+       del_timer_sync(&dev->video_q.timeout);
        /* free stuff */
        saa7134_pgtable_free(dev->pci, &dev->video_q.pt);
        saa7134_pgtable_free(dev->pci, &dev->vbi_q.pt);
Domain: System / Kernel;