From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Hyunwoo Kim <v4bel@theori.io>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 51/99] media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221
Date: Wed, 7 Jun 2023 22:16:43 +0200 [thread overview]
Message-ID: <20230607200901.846665193@linuxfoundation.org> (raw)
In-Reply-To: <20230607200900.195572674@linuxfoundation.org>
From: Hyunwoo Kim <v4bel@theori.io>
[ Upstream commit 280a8ab81733da8bc442253c700a52c4c0886ffd ]
If the device node of dvb_ca_en50221 is open() and the
device is disconnected, a UAF may occur when calling
close() on the device node.
The root cause is that wake_up() and wait_event() for
dvbdev->wait_queue are not implemented.
So implement wait_event() function in dvb_ca_en50221_release()
and add 'remove_mutex' which prevents race condition
for 'ca->exit'.
[mchehab: fix a checkpatch warning]
Link: https://lore.kernel.org/linux-media/20221121063308.GA33821@ubuntu
Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-core/dvb_ca_en50221.c | 37 ++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
index b1a7b5f8b9aa4..dec036e0336cb 100644
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -151,6 +151,12 @@ struct dvb_ca_private {
/* mutex serializing ioctls */
struct mutex ioctl_mutex;
+
+ /* A mutex used when a device is disconnected */
+ struct mutex remove_mutex;
+
+ /* Whether the device is disconnected */
+ int exit;
};
static void dvb_ca_private_free(struct dvb_ca_private *ca)
@@ -1708,12 +1714,22 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file)
dprintk("%s\n", __func__);
- if (!try_module_get(ca->pub->owner))
+ mutex_lock(&ca->remove_mutex);
+
+ if (ca->exit) {
+ mutex_unlock(&ca->remove_mutex);
+ return -ENODEV;
+ }
+
+ if (!try_module_get(ca->pub->owner)) {
+ mutex_unlock(&ca->remove_mutex);
return -EIO;
+ }
err = dvb_generic_open(inode, file);
if (err < 0) {
module_put(ca->pub->owner);
+ mutex_unlock(&ca->remove_mutex);
return err;
}
@@ -1738,6 +1754,7 @@ static int dvb_ca_en50221_io_open(struct inode *inode, struct file *file)
dvb_ca_private_get(ca);
+ mutex_unlock(&ca->remove_mutex);
return 0;
}
@@ -1757,6 +1774,8 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file)
dprintk("%s\n", __func__);
+ mutex_lock(&ca->remove_mutex);
+
/* mark the CA device as closed */
ca->open = 0;
dvb_ca_en50221_thread_update_delay(ca);
@@ -1767,6 +1786,13 @@ static int dvb_ca_en50221_io_release(struct inode *inode, struct file *file)
dvb_ca_private_put(ca);
+ if (dvbdev->users == 1 && ca->exit == 1) {
+ mutex_unlock(&ca->remove_mutex);
+ wake_up(&dvbdev->wait_queue);
+ } else {
+ mutex_unlock(&ca->remove_mutex);
+ }
+
return err;
}
@@ -1890,6 +1916,7 @@ int dvb_ca_en50221_init(struct dvb_adapter *dvb_adapter,
}
mutex_init(&ca->ioctl_mutex);
+ mutex_init(&ca->remove_mutex);
if (signal_pending(current)) {
ret = -EINTR;
@@ -1932,6 +1959,14 @@ void dvb_ca_en50221_release(struct dvb_ca_en50221 *pubca)
dprintk("%s\n", __func__);
+ mutex_lock(&ca->remove_mutex);
+ ca->exit = 1;
+ mutex_unlock(&ca->remove_mutex);
+
+ if (ca->dvbdev->users < 1)
+ wait_event(ca->dvbdev->wait_queue,
+ ca->dvbdev->users == 1);
+
/* shutdown the thread if there was one */
kthread_stop(ca->thread);
--
2.39.2
next prev parent reply other threads:[~2023-06-07 20:54 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-07 20:15 [PATCH 5.4 00/99] 5.4.246-rc1 review Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 01/99] RDMA/efa: Fix unsupported page sizes in device Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 02/99] RDMA/bnxt_re: Enable SRIOV VF support on Broadcoms 57500 adapter series Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 03/99] RDMA/bnxt_re: Refactor queue pair creation code Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 04/99] RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 05/99] iommu/rockchip: Fix unwind goto issue Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 06/99] iommu/amd: Dont block updates to GATag if guest mode is on Greg Kroah-Hartman
2023-06-07 20:15 ` [PATCH 5.4 07/99] dmaengine: pl330: rename _start to prevent build error Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 08/99] net/mlx5: fw_tracer, Fix event handling Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 09/99] netrom: fix info-leak in nr_write_internal() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 10/99] af_packet: Fix data-races of pkt_sk(sk)->num Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 11/99] amd-xgbe: fix the false linkup in xgbe_phy_status Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 12/99] mtd: rawnand: ingenic: fix empty stub helper definitions Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 13/99] af_packet: do not use READ_ONCE() in packet_bind() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 14/99] tcp: deny tcp_disconnect() when threads are waiting Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 15/99] tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 16/99] net/sched: sch_ingress: Only create under TC_H_INGRESS Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 17/99] net/sched: sch_clsact: Only create under TC_H_CLSACT Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 18/99] net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 19/99] net/sched: Prohibit regrafting ingress or clsact Qdiscs Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 20/99] net: sched: fix NULL pointer dereference in mq_attach Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 21/99] ocfs2/dlm: move BITS_TO_BYTES() to bitops.h for wider use Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 22/99] net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 23/99] udp6: Fix race condition in udp6_sendmsg & connect Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 24/99] net/sched: flower: fix possible OOB write in fl_set_geneve_opt() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 25/99] net: dsa: mv88e6xxx: Increase wait after reset deactivation Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 26/99] mtd: rawnand: marvell: ensure timing values are written Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 27/99] mtd: rawnand: marvell: dont set the NAND frequency select Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 28/99] watchdog: menz069_wdt: fix watchdog initialisation Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 29/99] mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 30/99] ARM: 9295/1: unwind:fix unwind abort for uleb128 case Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 31/99] media: rcar-vin: Select correct interrupt mode for V4L2_FIELD_ALTERNATE Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 32/99] fbdev: modedb: Add 1920x1080 at 60 Hz video mode Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 33/99] fbdev: stifb: Fix info entry in sti_struct on error path Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 34/99] nbd: Fix debugfs_create_dir error checking Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 35/99] ASoC: dwc: limit the number of overrun messages Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 36/99] xfrm: Check if_id in inbound policy/secpath match Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 37/99] ASoC: ssm2602: Add workaround for playback distortions Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 38/99] media: dvb_demux: fix a bug for the continuity counter Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 39/99] media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 40/99] media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 41/99] media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 42/99] media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 43/99] media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 44/99] media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 45/99] media: netup_unidvb: fix irq init by register it at the end of probe Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 46/99] media: dvb_ca_en50221: fix a size write bug Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 47/99] media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 48/99] media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 49/99] media: dvb-core: Fix use-after-free due on race condition at dvb_net Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 50/99] media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*() Greg Kroah-Hartman
2023-06-07 20:16 ` Greg Kroah-Hartman [this message]
2023-06-07 20:16 ` [PATCH 5.4 52/99] wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 53/99] ARM: dts: stm32: add pin map for CAN controller on stm32f7 Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 54/99] arm64/mm: mark private VM_FAULT_X defines as vm_fault_t Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 55/99] scsi: core: Decrease scsi_devices iorequest_cnt if dispatch failed Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 56/99] wifi: b43: fix incorrect __packed annotation Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 57/99] netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 58/99] ALSA: oss: avoid missing-prototype warnings Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 59/99] atm: hide unused procfs functions Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 60/99] mailbox: mailbox-test: fix a locking issue in mbox_test_message_write() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 61/99] iio: adc: mxs-lradc: fix the order of two cleanup operations Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 62/99] HID: google: add jewel USB id Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 63/99] HID: wacom: avoid integer overflow in wacom_intuos_inout() Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 64/99] iio: light: vcnl4035: fixed chip ID check Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 65/99] iio: dac: mcp4725: Fix i2c_master_send() return value handling Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 66/99] iio: dac: build ad5758 driver when AD5758 is selected Greg Kroah-Hartman
2023-06-07 20:16 ` [PATCH 5.4 67/99] net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818 Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 68/99] usb: gadget: f_fs: Add unbind event before functionfs_unbind Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 69/99] misc: fastrpc: return -EPIPE to invocations on device removal Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 70/99] misc: fastrpc: reject new invocations during " Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 71/99] scsi: stex: Fix gcc 13 warnings Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 72/99] ata: libata-scsi: Use correct device no in ata_find_dev() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 73/99] flow_dissector: work around stack frame size warning Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 74/99] x86/boot: Wrap literal addresses in absolute_pointer() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 75/99] ACPI: thermal: drop an always true check Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 76/99] gcc-12: disable -Wdangling-pointer warning for now Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 77/99] eth: sun: cassini: remove dead code Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 78/99] kernel/extable.c: use address-of operator on section symbols Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 79/99] treewide: Remove uninitialized_var() usage Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 80/99] lib/dynamic_debug.c: use address-of operator on section symbols Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 81/99] wifi: rtlwifi: remove always-true condition pointed out by GCC 12 Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 82/99] mmc: vub300: fix invalid response handling Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 83/99] tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 84/99] selinux: dont use makes grouped targets feature yet Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 85/99] tracing/probe: trace_probe_primary_from_call(): checked list_first_entry Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 86/99] ext4: add EA_INODE checking to ext4_iget() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 87/99] ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 88/99] ext4: disallow ea_inodes with extended attributes Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 89/99] ext4: add lockdep annotations for i_data_sem for ea_inodes Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 90/99] fbcon: Fix null-ptr-deref in soft_cursor Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 91/99] test_firmware: fix the memory leak of the allocated firmware buffer Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 92/99] regmap: Account for register length when chunking Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 93/99] scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD) Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 94/99] scsi: dpt_i2o: Do not process completions with invalid addresses Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 95/99] RDMA/bnxt_re: Remove set but not used variable dev_attr Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 96/99] RDMA/bnxt_re: Remove the qp from list only if the qp destroy succeeds Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 97/99] drm/edid: Fix uninitialized variable in drm_cvt_modes() Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 98/99] wifi: rtlwifi: 8192de: correct checking of IQK reload Greg Kroah-Hartman
2023-06-07 20:17 ` [PATCH 5.4 99/99] drm/edid: fix objtool warning in drm_cvt_modes() Greg Kroah-Hartman
2023-06-07 22:18 ` [PATCH 5.4 00/99] 5.4.246-rc1 review Florian Fainelli
2023-06-08 1:27 ` Shuah Khan
2023-06-08 7:20 ` Chris Paterson
2023-06-08 15:03 ` Naresh Kamboju
2023-06-08 15:43 ` Harshit Mogalapalli
2023-06-09 0:27 ` Guenter Roeck
2023-06-09 8:15 ` Sudip Mukherjee (Codethink)
2023-06-09 16:17 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230607200901.846665193@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=mchehab@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=v4bel@theori.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).