Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-15 08:31:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
6f0dd24a08
linux/include/media
History
Shuah Khan 6f0dd24a08 [media] media: fix media devnode ioctl/syscall and unregister race 
Media devnode open/ioctl could be in progress when media device unregister
is initiated. System calls and ioctls check media device registered status
at the beginning, however, there is a window where unregister could be in
progress without changing the media devnode status to unregistered.

process 1				process 2
fd = open(/dev/media0)
media_devnode_is_registered()
	(returns true here)

					media_device_unregister()
						(unregister is in progress
						and devnode isn't
						unregistered yet)
					...
ioctl(fd, ...)
__media_ioctl()
media_devnode_is_registered()
	(returns true here)
					...
					media_devnode_unregister()
					...
					(driver releases the media device
					memory)

media_device_ioctl()
	(By this point
	devnode->media_dev does not
	point to allocated memory.
	use-after free in in mutex_lock_nested)

BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr
ffff8801ebe914f0

Fix it by clearing register bit when unregister starts to avoid the race.

process 1                               process 2
fd = open(/dev/media0)
media_devnode_is_registered()
        (could return true here)

                                        media_device_unregister()
                                                (clear the register bit,
						 then start unregister.)
                                        ...
ioctl(fd, ...)
__media_ioctl()
media_devnode_is_registered()
        (return false here, ioctl
	 returns I/O error, and
	 will not access media
	 device memory)
                                        ...
                                        media_devnode_unregister()
                                        ...
                                        (driver releases the media device
					 memory)

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Suggested-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reported-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-06-15 17:59:28 -03:00
..
blackfin [media] v4l2: blackfin: select proper pinctrl state in ppi_set_params if CONFIG_PINCTRL is enabled 2014-07-26 17:15:16 -03:00
davinci [media] media: videobuf2: Restructure vb2_buffer 2015-10-01 09:04:43 -03:00
drv-intf [media] media, sound: tea575x: constify snd_tea575x_ops structures 2015-12-03 11:26:45 -02:00
i2c [media] tvp5150: move input definition header to dt-bindings 2016-02-11 11:10:59 -02:00
i2c-addr.h
lirc_dev.h [media] lirc_dev.h: Make checkpatch happy 2015-10-05 13:50:42 -03:00
lirc.h [media] bz#75751: Move internal header file lirc.h to uapi/ 2015-11-17 06:47:43 -02:00
media-device.h [media] media-device: dynamically allocate struct media_devnode 2016-06-15 17:57:24 -03:00
media-devnode.h [media] media: fix media devnode ioctl/syscall and unregister race 2016-06-15 17:59:28 -03:00
media-entity.h [media] media: Improve documentation for link_setup/link_modify 2016-04-20 13:16:14 -03:00
rc-core.h [media] media: rc: reduce size of struct ir_raw_event 2016-05-07 10:34:17 -03:00
rc-map.h [media] media: rc: improve RC_BIT_ constant definition 2015-11-19 11:39:58 -02:00
soc_camera.h [media] media: videobuf2: Replace videobuf2-core with videobuf2-v4l2 2015-10-01 08:48:18 -03:00
tuner-types.h [media] DocBook: add documentation for tuner-types.h 2015-10-05 11:37:15 -03:00
tuner.h [media] v4l2-mc.h: move tuner PAD definitions to this new header 2016-02-01 07:19:44 -02:00
tveeprom.h [media] DocBook: Document tveeprom.h 2015-10-05 13:49:02 -03:00
v4l2-async.h [media] Docbook: Fix comments at v4l2-async.h 2015-08-22 05:17:27 -03:00
v4l2-clk.h [media] v4l2-clk: add new definition: V4L2_CLK_NAME_SIZE 2015-11-17 15:19:11 -02:00
v4l2-common.h [media] v4l2-common: move v4l2_ctrl_check to cx2341x 2014-11-25 08:25:36 -02:00
v4l2-ctrls.h [media] v4l2-ctrls: remove unclaimed v4l2_ctrl_add_ctrl() interface 2016-02-10 09:34:00 -02:00
v4l2-dev.h [media] v4l2: add device_caps to struct video_device 2016-04-13 16:40:29 -03:00
v4l2-device.h [media] v4l2-device.h: add v4l2_device_mask_ variants 2016-04-20 16:08:42 -03:00
v4l2-dv-timings.h [media] v4l2-dv-timings: add new arg to v4l2_match_dv_timings 2015-12-03 11:26:14 -02:00
v4l2-event.h [media] v4l2-event.h: fix comments and add to DocBook 2015-08-22 09:05:52 -03:00
v4l2-fh.h [media] V4L: Add mem2mem ioctl and file operation helpers 2013-12-04 15:34:24 -02:00
v4l2-flash-led-class.h [media] Docbook: fix comments at v4l2-flash-led-class.h 2015-08-22 05:28:44 -03:00
v4l2-image-sizes.h [media] media: v4l2-image-sizes.h: correct the SVGA height definition 2014-12-04 13:56:56 -02:00
v4l2-ioctl.h [media] v4l2: add support for SDR transmitter 2015-10-20 15:40:50 -02:00
v4l2-mc.h Update my main e-mails at the Kernel tree 2016-06-14 14:55:18 -03:00
v4l2-mediabus.h [media] v4l2-mediabus: Add to DocBook 2015-08-22 09:05:55 -03:00
v4l2-mem2mem.h [media] media: videobuf2: Restructure vb2_buffer 2015-10-01 09:04:43 -03:00
v4l2-of.h [media] v4l2-of: fix compiler errors if CONFIG_OF is undefined 2015-04-28 08:33:45 -03:00
v4l2-rect.h [media] v4l2-rect.h: new header with struct v4l2_rect helper functions 2016-04-20 16:11:33 -03:00
v4l2-subdev.h [media] v4l: subdev: Add pad config allocator and init 2016-04-13 17:23:37 -03:00
v4l2-tpg-colors.h [media] tpg: Export the tpg code from vivid as a module 2016-04-20 16:14:39 -03:00
v4l2-tpg.h [media] tpg: Export the tpg code from vivid as a module 2016-04-20 16:14:39 -03:00
videobuf2-core.h [media] media: vb2: Fix regression on poll() for RW mode 2016-04-25 10:21:23 -03:00
videobuf2-dma-contig.h media: vb2-dma-contig: add helper for setting dma max seg size 2016-06-03 11:12:50 +02:00
videobuf2-dma-sg.h [media] media: videobuf2: Replace videobuf2-core with videobuf2-v4l2 2015-10-01 08:48:18 -03:00
videobuf2-dvb.h [media] add media controller support to videobuf2-dvb 2016-02-10 07:23:41 -02:00
videobuf2-memops.h [media] media: videobuf2: Replace videobuf2-core with videobuf2-v4l2 2015-10-01 08:48:18 -03:00
videobuf2-v4l2.h [media] media: videobuf2: Move vb2_fileio_data and vb2_thread to core part 2015-12-18 13:58:09 -02:00
videobuf2-vmalloc.h [media] media: videobuf2: Replace videobuf2-core with videobuf2-v4l2 2015-10-01 08:48:18 -03:00
videobuf-core.h treewide: fix typos in comment blocks 2015-08-07 14:46:24 +02:00
videobuf-dma-contig.h [media] videobuf-dma-contig: remove support for cached mem 2013-04-25 09:50:19 -03:00
videobuf-dma-sg.h [media] videobuf: make unused exported functions static 2015-01-27 10:01:33 -02:00
videobuf-dvb.h [media] media: remove emacs editor variables 2014-12-22 17:52:20 -02:00
videobuf-vmalloc.h V4L/DVB: videobuf: add ext_lock argument to the queue init functions 2010-10-21 01:06:14 -02:00
vsp1.h [media] v4l: vsp1: Add global alpha support for DRM pipeline 2016-04-13 19:15:23 -03:00