1. 16 Jun, 2016 3 commits
  2. 15 Jun, 2016 4 commits
    • Shuah Khan's avatar
      [media] media: fix media devnode ioctl/syscall and unregister race · 6f0dd24a
      Shuah Khan authored
      Media devnode open/ioctl could be in progress when media device unregister
      is initiated. System calls and ioctls check media device registered status
      at the beginning, however, there is a window where unregister could be in
      progress without changing the media devnode status to unregistered.
      
      process 1				process 2
      fd = open(/dev/media0)
      media_devnode_is_registered()
      	(returns true here)
      
      					media_device_unregister()
      						(unregister is in progress
      						and devnode isn't
      						unregistered yet)
      					...
      ioctl(fd, ...)
      __media_ioctl()
      media_devnode_is_registered()
      	(returns true here)
      					...
      					media_devnode_unregister()
      					...
      					(driver releases the media device
      					memory)
      
      media_device_ioctl()
      	(By this point
      	devnode->media_dev does not
      	point to allocated memory.
      	use-after free in in mutex_lock_nested)
      
      BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr
      ffff8801ebe914f0
      
      Fix it by clearing register bit when unregister starts to avoid the race.
      
      process 1                               process 2
      fd = open(/dev/media0)
      media_devnode_is_registered()
              (could return true here)
      
                                              media_device_unregister()
                                                      (clear the register bit,
      						 then start unregister.)
                                              ...
      ioctl(fd, ...)
      __media_ioctl()
      media_devnode_is_registered()
              (return false here, ioctl
      	 returns I/O error, and
      	 will not access media
      	 device memory)
                                              ...
                                              media_devnode_unregister()
                                              ...
                                              (driver releases the media device
      					 memory)
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Suggested-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Reported-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Tested-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      6f0dd24a
    • Shuah Khan's avatar
      [media] media: fix use-after-free in cdev_put() when app exits after driver unbind · 5b28dde5
      Shuah Khan authored
      When driver unbinds while media_ioctl is in progress, cdev_put() fails with
      when app exits after driver unbinds.
      
      Add devnode struct device kobj as the cdev parent kobject. cdev_add() gets
      a reference to it and releases it in cdev_del() ensuring that the devnode
      is not deallocated as long as the application has the device file open.
      
      media_devnode_register() initializes the struct device kobj before calling
      cdev_add(). media_devnode_unregister() does cdev_del() and then deletes the
      device. devnode is released when the last reference to the struct device is
      gone.
      
      This problem is found on uvcvideo, em28xx, and au0828 drivers and fix has
      been tested on all three.
      
      kernel: [  193.599736] BUG: KASAN: use-after-free in cdev_put+0x4e/0x50
      kernel: [  193.599745] Read of size 8 by task media_device_te/1851
      kernel: [  193.599792] INFO: Allocated in __media_device_register+0x54
      kernel: [  193.599951] INFO: Freed in media_devnode_release+0xa4/0xc0
      
      kernel: [  193.601083] Call Trace:
      kernel: [  193.601093]  [<ffffffff81aecac3>] dump_stack+0x67/0x94
      kernel: [  193.601102]  [<ffffffff815359b2>] print_trailer+0x112/0x1a0
      kernel: [  193.601111]  [<ffffffff8153b5e4>] object_err+0x34/0x40
      kernel: [  193.601119]  [<ffffffff8153d9d4>] kasan_report_error+0x224/0x530
      kernel: [  193.601128]  [<ffffffff814a2c3d>] ? kzfree+0x2d/0x40
      kernel: [  193.601137]  [<ffffffff81539d72>] ? kfree+0x1d2/0x1f0
      kernel: [  193.601154]  [<ffffffff8157ca7e>] ? cdev_put+0x4e/0x50
      kernel: [  193.601162]  [<ffffffff8157ca7e>] cdev_put+0x4e/0x50
      kernel: [  193.601170]  [<ffffffff815767eb>] __fput+0x52b/0x6c0
      kernel: [  193.601179]  [<ffffffff8117743a>] ? switch_task_namespaces+0x2a
      kernel: [  193.601188]  [<ffffffff815769ee>] ____fput+0xe/0x10
      kernel: [  193.601196]  [<ffffffff81170023>] task_work_run+0x133/0x1f0
      kernel: [  193.601204]  [<ffffffff8117746e>] ? switch_task_namespaces+0x5e
      kernel: [  193.601213]  [<ffffffff8111b50c>] do_exit+0x72c/0x2c20
      kernel: [  193.601224]  [<ffffffff8111ade0>] ? release_task+0x1250/0x1250
      -
      -
      -
      kernel: [  193.601360]  [<ffffffff81003587>] ? exit_to_usermode_loop+0xe7
      kernel: [  193.601368]  [<ffffffff810035c0>] exit_to_usermode_loop+0x120
      kernel: [  193.601376]  [<ffffffff810061da>] syscall_return_slowpath+0x16a
      kernel: [  193.601386]  [<ffffffff82848b33>] entry_SYSCALL_64_fastpath+0xa6
      Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
      Tested-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      5b28dde5
    • Mauro Carvalho Chehab's avatar
      [media] media-device: dynamically allocate struct media_devnode · a087ce70
      Mauro Carvalho Chehab authored
      struct media_devnode is currently embedded at struct media_device.
      
      While this works fine during normal usage, it leads to a race
      condition during devnode unregister. the problem is that drivers
      assume that, after calling media_device_unregister(), the struct
      that contains media_device can be freed. This is not true, as it
      can't be freed until userspace closes all opened /dev/media devnodes.
      
      In other words, if the media devnode is still open, and media_device
      gets freed, any call to an ioctl will make the core to try to access
      struct media_device, with will cause an use-after-free and even GPF.
      
      Fix this by dynamically allocating the struct media_devnode and only
      freeing it when it is safe.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      a087ce70
    • Mauro Carvalho Chehab's avatar
      [media] media-devnode: fix namespace mess · 163f1e93
      Mauro Carvalho Chehab authored
      Along all media controller code, "mdev" is used to represent
      a pointer to struct media_device, and "devnode" for a pointer
      to struct media_devnode.
      
      However, inside media-devnode.[ch], "mdev" is used to represent
      a pointer to struct media_devnode.
      
      This is very confusing and may lead to development errors.
      
      So, let's change all occurrences at media-devnode.[ch] to
      also use "devnode" for such pointers.
      
      This patch doesn't make any functional changes.
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      163f1e93
  3. 14 Jun, 2016 1 commit
  4. 10 Jun, 2016 2 commits
  5. 09 Jun, 2016 6 commits
  6. 07 Jun, 2016 24 commits