Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.4.235 2020-05-27T14:40:25+00:00 2020-05-27T14:40:25+00:00 Shuah Khan shuahkh@osg.samsung.com 2016-06-10T17:37:23+00:00 urn:sha1:b882fcc49cb6c95259508766624d08fc516cd672 commit 6f0dd24a084a17f9984dd49dffbf7055bf123993 upstream. Media devnode open/ioctl could be in progress when media device unregister is initiated. System calls and ioctls check media device registered status at the beginning, however, there is a window where unregister could be in progress without changing the media devnode status to unregistered. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (returns true here) media_device_unregister() (unregister is in progress and devnode isn't unregistered yet) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (returns true here) ... media_devnode_unregister() ... (driver releases the media device memory) media_device_ioctl() (By this point devnode->media_dev does not point to allocated memory. use-after free in in mutex_lock_nested) BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr ffff8801ebe914f0 Fix it by clearing register bit when unregister starts to avoid the race. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (could return true here) media_device_unregister() (clear the register bit, then start unregister.) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (return false here, ioctl returns I/O error, and will not access media device memory) ... media_devnode_unregister() ... (driver releases the media device memory) Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Suggested-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reported-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> [bwh: Backported to 4.4: adjut filename, context] Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-05-27T14:40:25+00:00 Shuah Khan shuahkh@osg.samsung.com 2016-05-04T19:48:28+00:00 urn:sha1:bbb3ce60dd698ec19fc7d5ff9fc61e7bedb6b9a4 commit 5b28dde51d0ccc54cee70756e1800d70bed7114a upstream. When driver unbinds while media_ioctl is in progress, cdev_put() fails with when app exits after driver unbinds. Add devnode struct device kobj as the cdev parent kobject. cdev_add() gets a reference to it and releases it in cdev_del() ensuring that the devnode is not deallocated as long as the application has the device file open. media_devnode_register() initializes the struct device kobj before calling cdev_add(). media_devnode_unregister() does cdev_del() and then deletes the device. devnode is released when the last reference to the struct device is gone. This problem is found on uvcvideo, em28xx, and au0828 drivers and fix has been tested on all three. kernel: [ 193.599736] BUG: KASAN: use-after-free in cdev_put+0x4e/0x50 kernel: [ 193.599745] Read of size 8 by task media_device_te/1851 kernel: [ 193.599792] INFO: Allocated in __media_device_register+0x54 kernel: [ 193.599951] INFO: Freed in media_devnode_release+0xa4/0xc0 kernel: [ 193.601083] Call Trace: kernel: [ 193.601093] [<ffffffff81aecac3>] dump_stack+0x67/0x94 kernel: [ 193.601102] [<ffffffff815359b2>] print_trailer+0x112/0x1a0 kernel: [ 193.601111] [<ffffffff8153b5e4>] object_err+0x34/0x40 kernel: [ 193.601119] [<ffffffff8153d9d4>] kasan_report_error+0x224/0x530 kernel: [ 193.601128] [<ffffffff814a2c3d>] ? kzfree+0x2d/0x40 kernel: [ 193.601137] [<ffffffff81539d72>] ? kfree+0x1d2/0x1f0 kernel: [ 193.601154] [<ffffffff8157ca7e>] ? cdev_put+0x4e/0x50 kernel: [ 193.601162] [<ffffffff8157ca7e>] cdev_put+0x4e/0x50 kernel: [ 193.601170] [<ffffffff815767eb>] __fput+0x52b/0x6c0 kernel: [ 193.601179] [<ffffffff8117743a>] ? switch_task_namespaces+0x2a kernel: [ 193.601188] [<ffffffff815769ee>] ____fput+0xe/0x10 kernel: [ 193.601196] [<ffffffff81170023>] task_work_run+0x133/0x1f0 kernel: [ 193.601204] [<ffffffff8117746e>] ? switch_task_namespaces+0x5e kernel: [ 193.601213] [<ffffffff8111b50c>] do_exit+0x72c/0x2c20 kernel: [ 193.601224] [<ffffffff8111ade0>] ? release_task+0x1250/0x1250 - - - kernel: [ 193.601360] [<ffffffff81003587>] ? exit_to_usermode_loop+0xe7 kernel: [ 193.601368] [<ffffffff810035c0>] exit_to_usermode_loop+0x120 kernel: [ 193.601376] [<ffffffff810061da>] syscall_return_slowpath+0x16a kernel: [ 193.601386] [<ffffffff82848b33>] entry_SYSCALL_64_fastpath+0xa6 Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-05-27T14:40:25+00:00 Mauro Carvalho Chehab mchehab@osg.samsung.com 2016-04-27T22:28:26+00:00 urn:sha1:bcce79f625b4ad3c9309198f5eb8325483651439 commit a087ce704b802becbb4b0f2a20f2cb3f6911802e upstream. struct media_devnode is currently embedded at struct media_device. While this works fine during normal usage, it leads to a race condition during devnode unregister. the problem is that drivers assume that, after calling media_device_unregister(), the struct that contains media_device can be freed. This is not true, as it can't be freed until userspace closes all opened /dev/media devnodes. In other words, if the media devnode is still open, and media_device gets freed, any call to an ioctl will make the core to try to access struct media_device, with will cause an use-after-free and even GPF. Fix this by dynamically allocating the struct media_devnode and only freeing it when it is safe. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> [bwh: Backported to 4.4: - Drop change in au0828 - Include <linux/slab.h> in media-device.c - Adjust context] Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-05-27T14:40:25+00:00 Mauro Carvalho Chehab mchehab@osg.samsung.com 2016-03-23T14:22:57+00:00 urn:sha1:328ff670b09bd078fa463aa65c7609ae152d8927 commit 163f1e93e995048b894c5fc86a6034d16beed740 upstream. Along all media controller code, "mdev" is used to represent a pointer to struct media_device, and "devnode" for a pointer to struct media_devnode. However, inside media-devnode.[ch], "mdev" is used to represent a pointer to struct media_devnode. This is very confusing and may lead to development errors. So, let's change all occurrences at media-devnode.[ch] to also use "devnode" for such pointers. This patch doesn't make any functional changes. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> [bwh: Backported to 4.4: adjust filename, context] Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-05-27T14:40:24+00:00 Max Kellermann max@duempel.org 2016-03-21T11:33:12+00:00 urn:sha1:46522c641eb5212172d7f0b34c56c42e89692fa3 commit 88336e174645948da269e1812f138f727cd2896b upstream. We should protect the device unregister patch too, at the error condition. Signed-off-by: Max Kellermann <max@duempel.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-05-27T14:40:24+00:00 Max Kellermann max@duempel.org 2016-03-21T13:30:28+00:00 urn:sha1:c4cbdb763ae30989a19b5936611f10e4110fd070 commit bf244f665d76d20312c80524689b32a752888838 upstream. Callbacks invoked from put_device() may free the struct media_devnode pointer, so any cleanup needs to be done before put_device(). Signed-off-by: Max Kellermann <max@duempel.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-05-27T14:40:24+00:00 Shuah Khan shuahkh@osg.samsung.com 2016-01-27T23:49:33+00:00 urn:sha1:7451beed434b50a1477c80a9ded791465ffd2baa commit d40ec6fdb0b03b7be4c7923a3da0e46bf943740a upstream. Fix media_open() to clear filp->private_data when file open fails. Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> 2014-09-03T20:59:28+00:00 Mauro Carvalho Chehab m.chehab@samsung.com 2014-09-03T18:18:27+00:00 urn:sha1:8b37c6455fc8f43e0e95db2847284e618db6a4f8 Instead of allocating a var to store 0 and just return it, change the code to return 0 directly. Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com> 2014-05-13T16:39:00+00:00 Sakari Ailus sakari.ailus@linux.intel.com 2013-12-12T15:38:17+00:00 urn:sha1:85de721c46ba8ad9b283b2b3e307c9a3e8425042 mdev->fops->owner is actually the owner of the very same module which implements media_device_register(), so it can't be unloaded anyway. Instead, use THIS_MODULE through a macro as does video_register_device(). Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com> 2013-03-18T23:44:36+00:00 Sakari Ailus sakari.ailus@iki.fi 2013-01-22T15:27:55+00:00 urn:sha1:c6c1d50b51e76b57fbf0651d38a7ae0c3fb9d5cc Provide an ioctl handler for 32-bit binaries on 64-bit systems. Signed-off-by: Sakari Ailus <sakari.ailus@iki.fi> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>