From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Lin Ma <linma@zju.edu.cn>, kernel test robot <lkp@intel.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Sasha Levin <sashal@kernel.org>,
linux-media@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 18/23] media: dvbdev: adopts refcnt to avoid UAF
Date: Sun, 18 Dec 2022 11:21:44 -0500 [thread overview]
Message-ID: <20221218162149.935047-18-sashal@kernel.org> (raw)
In-Reply-To: <20221218162149.935047-1-sashal@kernel.org>
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 ]
dvb_unregister_device() is known that prone to use-after-free.
That is, the cleanup from dvb_unregister_device() releases the dvb_device
even if there are pointers stored in file->private_data still refer to it.
This patch adds a reference counter into struct dvb_device and delays its
deallocation until no pointer refers to the object.
Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-core/dvb_ca_en50221.c | 2 +-
drivers/media/dvb-core/dvb_frontend.c | 2 +-
drivers/media/dvb-core/dvbdev.c | 32 +++++++++++++++++++------
drivers/media/dvb-core/dvbdev.h | 31 +++++++++++++-----------
4 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
index 95b3723282f4..56114d85510f 100644
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -167,7 +167,7 @@ static void dvb_ca_private_free(struct dvb_ca_private *ca)
{
unsigned int i;
- dvb_free_device(ca->dvbdev);
+ dvb_device_put(ca->dvbdev);
for (i = 0; i < ca->slot_count; i++)
vfree(ca->slot_info[i].rx_buffer.data);
diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
index f7d4ec37fdbc..e3a4a4688c2e 100644
--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -146,7 +146,7 @@ static void __dvb_frontend_free(struct dvb_frontend *fe)
struct dvb_frontend_private *fepriv = fe->frontend_priv;
if (fepriv)
- dvb_free_device(fepriv->dvbdev);
+ dvb_device_put(fepriv->dvbdev);
dvb_frontend_invoke_release(fe, fe->ops.release);
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
index 1628cbdd20d7..4c89c37713bd 100644
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -84,7 +84,7 @@ static int dvb_device_open(struct inode *inode, struct file *file)
new_fops = fops_get(dvbdev->fops);
if (!new_fops)
goto fail;
- file->private_data = dvbdev;
+ file->private_data = dvb_device_get(dvbdev);
replace_fops(file, new_fops);
if (file->f_op->open)
err = file->f_op->open(inode, file);
@@ -148,6 +148,9 @@ int dvb_generic_release(struct inode *inode, struct file *file)
}
dvbdev->users++;
+
+ dvb_device_put(dvbdev);
+
return 0;
}
EXPORT_SYMBOL(dvb_generic_release);
@@ -462,6 +465,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
return -ENOMEM;
}
+ kref_init(&dvbdev->ref);
memcpy(dvbdev, template, sizeof(struct dvb_device));
dvbdev->type = type;
dvbdev->id = id;
@@ -493,7 +497,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
#endif
dvbdev->minor = minor;
- dvb_minors[minor] = dvbdev;
+ dvb_minors[minor] = dvb_device_get(dvbdev);
up_write(&minor_rwsem);
ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads);
@@ -534,6 +538,7 @@ void dvb_remove_device(struct dvb_device *dvbdev)
down_write(&minor_rwsem);
dvb_minors[dvbdev->minor] = NULL;
+ dvb_device_put(dvbdev);
up_write(&minor_rwsem);
dvb_media_device_free(dvbdev);
@@ -545,21 +550,34 @@ void dvb_remove_device(struct dvb_device *dvbdev)
EXPORT_SYMBOL(dvb_remove_device);
-void dvb_free_device(struct dvb_device *dvbdev)
+static void dvb_free_device(struct kref *ref)
{
- if (!dvbdev)
- return;
+ struct dvb_device *dvbdev = container_of(ref, struct dvb_device, ref);
kfree (dvbdev->fops);
kfree (dvbdev);
}
-EXPORT_SYMBOL(dvb_free_device);
+
+
+struct dvb_device *dvb_device_get(struct dvb_device *dvbdev)
+{
+ kref_get(&dvbdev->ref);
+ return dvbdev;
+}
+EXPORT_SYMBOL(dvb_device_get);
+
+
+void dvb_device_put(struct dvb_device *dvbdev)
+{
+ if (dvbdev)
+ kref_put(&dvbdev->ref, dvb_free_device);
+}
void dvb_unregister_device(struct dvb_device *dvbdev)
{
dvb_remove_device(dvbdev);
- dvb_free_device(dvbdev);
+ dvb_device_put(dvbdev);
}
EXPORT_SYMBOL(dvb_unregister_device);
diff --git a/drivers/media/dvb-core/dvbdev.h b/drivers/media/dvb-core/dvbdev.h
index 49189392cf3b..5f6a6e7cda61 100644
--- a/drivers/media/dvb-core/dvbdev.h
+++ b/drivers/media/dvb-core/dvbdev.h
@@ -133,6 +133,7 @@ struct dvb_adapter {
*/
struct dvb_device {
struct list_head list_head;
+ struct kref ref;
const struct file_operations *fops;
struct dvb_adapter *adapter;
int type;
@@ -164,6 +165,20 @@ struct dvb_device {
void *priv;
};
+/**
+ * dvb_device_get - Increase dvb_device reference
+ *
+ * @dvbdev: pointer to struct dvb_device
+ */
+struct dvb_device *dvb_device_get(struct dvb_device *dvbdev);
+
+/**
+ * dvb_device_get - Decrease dvb_device reference
+ *
+ * @dvbdev: pointer to struct dvb_device
+ */
+void dvb_device_put(struct dvb_device *dvbdev);
+
/**
* dvb_register_adapter - Registers a new DVB adapter
*
@@ -210,29 +225,17 @@ int dvb_register_device(struct dvb_adapter *adap,
/**
* dvb_remove_device - Remove a registered DVB device
*
- * This does not free memory. To do that, call dvb_free_device().
+ * This does not free memory. dvb_free_device() will do that when
+ * reference counter is empty
*
* @dvbdev: pointer to struct dvb_device
*/
void dvb_remove_device(struct dvb_device *dvbdev);
-/**
- * dvb_free_device - Free memory occupied by a DVB device.
- *
- * Call dvb_unregister_device() before calling this function.
- *
- * @dvbdev: pointer to struct dvb_device
- */
-void dvb_free_device(struct dvb_device *dvbdev);
/**
* dvb_unregister_device - Unregisters a DVB device
*
- * This is a combination of dvb_remove_device() and dvb_free_device().
- * Using this function is usually a mistake, and is often an indicator
- * for a use-after-free bug (when a userspace process keeps a file
- * handle to a detached device).
- *
* @dvbdev: pointer to struct dvb_device
*/
void dvb_unregister_device(struct dvb_device *dvbdev);
--
2.35.1
next prev parent reply other threads:[~2022-12-18 17:08 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-18 16:21 [PATCH AUTOSEL 4.14 01/23] wifi: ath9k: verify the expected usb_endpoints are present Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 02/23] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 03/23] ASoC: codecs: rt298: Add quirk for KBL-R RVP platform Sasha Levin
2022-12-18 16:21 ` Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 04/23] ipmi: fix memleak when unload ipmi driver Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 05/23] bpf: make sure skb->len != 0 when redirecting to a tunneling device Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 06/23] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 07/23] hamradio: baycom_epp: Fix return type of baycom_send_packet() Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 08/23] wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() Sasha Levin
2022-12-18 16:21 ` [Intel-wired-lan] [PATCH AUTOSEL 4.14 09/23] igb: Do not free q_vector unless new one was allocated Sasha Levin
2022-12-18 16:21 ` Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 10/23] s390/ctcm: Fix return type of ctc{mp,}m_tx() Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 11/23] s390/netiucv: Fix return type of netiucv_tx() Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 12/23] s390/lcs: Fix return type of lcs_start_xmit() Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 13/23] drm/sti: Use drm_mode_copy() Sasha Levin
2022-12-18 16:21 ` Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 14/23] md/raid1: stop mdx_raid1 thread when raid1 array run failed Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 15/23] mrp: introduce active flags to prevent UAF when applicant uninit Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 16/23] ppp: associate skb with a device at tx Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 17/23] media: dvb-frontends: fix leak of memory fw Sasha Levin
2022-12-18 16:21 ` Sasha Levin [this message]
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 19/23] media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 20/23] blk-mq: fix possible memleak when register 'hctx' failed Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 21/23] mmc: f-sdh30: Add quirks for broken timeout clock capability Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 22/23] media: si470x: Fix use-after-free in si470x_int_in_callback() Sasha Levin
2022-12-18 16:21 ` [PATCH AUTOSEL 4.14 23/23] clk: st: Fix memory leak in st_of_quadfs_setup() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221218162149.935047-18-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linma@zju.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=lkp@intel.com \
--cc=mchehab@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.