From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Chi Zhiling <chizhiling@kylinos.cn>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Sasha Levin <sashal@kernel.org>,
mchehab@kernel.org, linux-media@vger.kernel.org
Subject: [PATCH AUTOSEL 6.10 28/34] media: xc2028: avoid use-after-free in load_firmware_cb()
Date: Sun, 28 Jul 2024 11:40:52 -0400 [thread overview]
Message-ID: <20240728154230.2046786-28-sashal@kernel.org> (raw)
In-Reply-To: <20240728154230.2046786-1-sashal@kernel.org>
From: Chi Zhiling <chizhiling@kylinos.cn>
[ Upstream commit 68594cec291ff9523b9feb3f43fd853dcddd1f60 ]
syzkaller reported use-after-free in load_firmware_cb() [1].
The reason is because the module allocated a struct tuner in tuner_probe(),
and then the module initialization failed, the struct tuner was released.
A worker which created during module initialization accesses this struct
tuner later, it caused use-after-free.
The process is as follows:
task-6504 worker_thread
tuner_probe <= alloc dvb_frontend [2]
...
request_firmware_nowait <= create a worker
...
tuner_remove <= free dvb_frontend
...
request_firmware_work_func <= the firmware is ready
load_firmware_cb <= but now the dvb_frontend has been freed
To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is
null, report a warning and just return.
[1]:
==================================================================
BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0
Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504
Call trace:
load_firmware_cb+0x1310/0x17a0
request_firmware_work_func+0x128/0x220
process_one_work+0x770/0x1824
worker_thread+0x488/0xea0
kthread+0x300/0x430
ret_from_fork+0x10/0x20
Allocated by task 6504:
kzalloc
tuner_probe+0xb0/0x1430
i2c_device_probe+0x92c/0xaf0
really_probe+0x678/0xcd0
driver_probe_device+0x280/0x370
__device_attach_driver+0x220/0x330
bus_for_each_drv+0x134/0x1c0
__device_attach+0x1f4/0x410
device_initial_probe+0x20/0x30
bus_probe_device+0x184/0x200
device_add+0x924/0x12c0
device_register+0x24/0x30
i2c_new_device+0x4e0/0xc44
v4l2_i2c_new_subdev_board+0xbc/0x290
v4l2_i2c_new_subdev+0xc8/0x104
em28xx_v4l2_init+0x1dd0/0x3770
Freed by task 6504:
kfree+0x238/0x4e4
tuner_remove+0x144/0x1c0
i2c_device_remove+0xc8/0x290
__device_release_driver+0x314/0x5fc
device_release_driver+0x30/0x44
bus_remove_device+0x244/0x490
device_del+0x350/0x900
device_unregister+0x28/0xd0
i2c_unregister_device+0x174/0x1d0
v4l2_device_unregister+0x224/0x380
em28xx_v4l2_init+0x1d90/0x3770
The buggy address belongs to the object at ffff8000d7ca2000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 776 bytes inside of
2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)
The buggy address belongs to the page:
page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0
flags: 0x7ff800000000100(slab)
raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
[2]
Actually, it is allocated for struct tuner, and dvb_frontend is inside.
Signed-off-by: Chi Zhiling <chizhiling@kylinos.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/tuners/xc2028.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/media/tuners/xc2028.c b/drivers/media/tuners/xc2028.c
index 5a967edceca93..352b8a3679b72 100644
--- a/drivers/media/tuners/xc2028.c
+++ b/drivers/media/tuners/xc2028.c
@@ -1361,9 +1361,16 @@ static void load_firmware_cb(const struct firmware *fw,
void *context)
{
struct dvb_frontend *fe = context;
- struct xc2028_data *priv = fe->tuner_priv;
+ struct xc2028_data *priv;
int rc;
+ if (!fe) {
+ pr_warn("xc2028: No frontend in %s\n", __func__);
+ return;
+ }
+
+ priv = fe->tuner_priv;
+
tuner_dbg("request_firmware_nowait(): %s\n", fw ? "OK" : "error");
if (!fw) {
tuner_err("Could not load firmware %s.\n", priv->fname);
--
2.43.0
next prev parent reply other threads:[~2024-07-28 15:44 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-28 15:40 [PATCH AUTOSEL 6.10 01/34] drm/xe/preempt_fence: enlarge the fence critical section Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 02/34] drm/amd/display: Handle HPD_IRQ for internal link Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 03/34] drm/amd/display: Add delay to improve LTTPR UHBR interop Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 04/34] drm/amdgpu: fix potential resource leak warning Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 05/34] drm/amdgpu/pm: Fix the param type of set_power_profile_mode Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 06/34] drm/amd/amdkfd: Fix a resource leak in svm_range_validate_and_map() Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 07/34] drm/xe/xe_guc_submit: Fix exec queue stop race condition Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 08/34] drm/amdgpu/pm: Fix the null pointer dereference for smu7 Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 09/34] drm/amdgpu: Fix the null pointer dereference to ras_manager Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 10/34] drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 11/34] drm/admgpu: fix dereferencing null pointer context Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 12/34] drm/amdgpu: Add lock around VF RLCG interface Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 13/34] drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 14/34] drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 15/34] media: amphion: Remove lock in s_ctrl callback Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 16/34] drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 17/34] drm/amd/display: Wake DMCUB before sending a command for replay feature Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 18/34] drm/amd/display: reduce ODM slice count to initial new dc state only when needed Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 19/34] drm/amd/display: Don't refer to dc_sink in is_dsc_need_re_compute Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 20/34] drm/amd/display: remove dpp pipes on failure to update pipe params Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 21/34] drm/amd/display: Add null checker before passing variables Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 22/34] media: i2c: ov5647: replacing of_node_put with __free(device_node) Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 23/34] media: uvcvideo: Ignore empty TS packets Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 24/34] media: uvcvideo: Fix the bandwdith quirk on USB 3.x Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 25/34] media: uvcvideo: Remove mappings form uvc_device_info Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 26/34] drm/panic: depends on !VT_CONSOLE Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 27/34] drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401 Sasha Levin
2024-07-28 15:40 ` Sasha Levin [this message]
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 29/34] ext4: fix uninitialized variable in ext4_inlinedir_to_tree Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 30/34] jbd2: avoid memleak in jbd2_journal_write_metadata_buffer Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 31/34] drm/amd/display: Fix null pointer deref in dcn20_resource.c Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 32/34] s390/sclp: Prevent release of buffer in I/O Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 33/34] ext4: sanity check for NULL pointer after ext4_force_shutdown Sasha Levin
2024-07-28 15:40 ` [PATCH AUTOSEL 6.10 34/34] SUNRPC: Fix a race to wake a sync task Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240728154230.2046786-28-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=chizhiling@kylinos.cn \
--cc=hverkuil-cisco@xs4all.nl \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox