MIRRORS/linux-imx
1
0
Fork 0
mirror of https://github.com/nxp-imx/linux-imx.git synced 2025-09-02 18:06:13 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
lf-6.6.y
linux-imx/drivers/media/tuners
History
Chi Zhiling 850304152d media: xc2028: avoid use-after-free in load_firmware_cb() 
[ Upstream commit 68594cec29 ]

syzkaller reported use-after-free in load_firmware_cb() [1].
The reason is because the module allocated a struct tuner in tuner_probe(),
and then the module initialization failed, the struct tuner was released.
A worker which created during module initialization accesses this struct
tuner later, it caused use-after-free.

The process is as follows:

task-6504           worker_thread
tuner_probe                             <= alloc dvb_frontend [2]
...
request_firmware_nowait                 <= create a worker
...
tuner_remove                            <= free dvb_frontend
...
                    request_firmware_work_func  <= the firmware is ready
                    load_firmware_cb    <= but now the dvb_frontend has been freed

To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is
null, report a warning and just return.

[1]:
    ==================================================================
     BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0
     Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504

     Call trace:
      load_firmware_cb+0x1310/0x17a0
      request_firmware_work_func+0x128/0x220
      process_one_work+0x770/0x1824
      worker_thread+0x488/0xea0
      kthread+0x300/0x430
      ret_from_fork+0x10/0x20

     Allocated by task 6504:
      kzalloc
      tuner_probe+0xb0/0x1430
      i2c_device_probe+0x92c/0xaf0
      really_probe+0x678/0xcd0
      driver_probe_device+0x280/0x370
      __device_attach_driver+0x220/0x330
      bus_for_each_drv+0x134/0x1c0
      __device_attach+0x1f4/0x410
      device_initial_probe+0x20/0x30
      bus_probe_device+0x184/0x200
      device_add+0x924/0x12c0
      device_register+0x24/0x30
      i2c_new_device+0x4e0/0xc44
      v4l2_i2c_new_subdev_board+0xbc/0x290
      v4l2_i2c_new_subdev+0xc8/0x104
      em28xx_v4l2_init+0x1dd0/0x3770

     Freed by task 6504:
      kfree+0x238/0x4e4
      tuner_remove+0x144/0x1c0
      i2c_device_remove+0xc8/0x290
      __device_release_driver+0x314/0x5fc
      device_release_driver+0x30/0x44
      bus_remove_device+0x244/0x490
      device_del+0x350/0x900
      device_unregister+0x28/0xd0
      i2c_unregister_device+0x174/0x1d0
      v4l2_device_unregister+0x224/0x380
      em28xx_v4l2_init+0x1d90/0x3770

     The buggy address belongs to the object at ffff8000d7ca2000
      which belongs to the cache kmalloc-2k of size 2048
     The buggy address is located 776 bytes inside of
      2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)
     The buggy address belongs to the page:
     page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0
     flags: 0x7ff800000000100(slab)
     raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000
     raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
     page dumped because: kasan: bad access detected

     Memory state around the buggy address:
      ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                           ^
      ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ==================================================================

[2]
    Actually, it is allocated for struct tuner, and dvb_frontend is inside.

Signed-off-by: Chi Zhiling <chizhiling@kylinos.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-08-14 13:58:46 +02:00
..
e4000_priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1 2019-05-21 11:28:39 +02:00
e4000.c media: Switch i2c drivers back to use .probe() 2023-05-25 16:21:21 +02:00
e4000.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1 2019-05-21 11:28:39 +02:00
fc001x-common.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
fc0011.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
fc0011.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
fc0012-priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
fc0012.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
fc0012.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
fc0013-priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
fc0013.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
fc0013.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
fc2580_priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1 2019-05-21 11:28:39 +02:00
fc2580.c media: Switch i2c drivers back to use .probe() 2023-05-25 16:21:21 +02:00
fc2580.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1 2019-05-21 11:28:39 +02:00
it913x.c media: it913x: Convert to platform remove callback returning void 2023-04-11 16:59:21 +02:00
it913x.h media: media tuner headers: fix kernel-doc warnings 2021-03-22 10:24:27 +01:00
Kconfig media: media/*/Kconfig: sort entries 2022-03-18 05:58:35 +01:00
m88rs6000t.c media: Switch i2c drivers back to use .probe() 2023-05-25 16:21:21 +02:00
m88rs6000t.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
Makefile media: Makefiles: sort entries where it fits 2022-03-14 09:42:59 +01:00
max2165_priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
max2165.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
max2165.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
mc44s803_priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
mc44s803.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
mc44s803.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
msi001.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
mt20xx.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
mt20xx.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
mt2060_priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
mt2060.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
mt2060.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
mt2063.c media: fix incorrect kernel doc usages 2021-03-11 11:59:44 +01:00
mt2063.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
mt2131_priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
mt2131.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
mt2131.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
mt2266.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
mt2266.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
mxl301rf.c media: Switch i2c drivers back to use .probe() 2023-05-25 16:21:21 +02:00
mxl301rf.h media: tuners/mxl301rf: use SPDX License Identifier 2018-05-04 14:45:21 -04:00
mxl5005s.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
mxl5005s.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
mxl5007t.c media: tuners: mxl5007t: Removed unnecessary 'return' 2021-09-30 10:07:40 +02:00
mxl5007t.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
qm1d1b0004.c media: Switch i2c drivers back to use .probe() 2023-05-25 16:21:21 +02:00
qm1d1b0004.h media: tuners: fix several typos 2019-03-01 09:40:29 -05:00
qm1d1c0042.c media: Switch i2c drivers back to use .probe() 2023-05-25 16:21:21 +02:00
qm1d1c0042.h media: tuners/qm1d1c0042: use SPDX License Identifier 2018-05-04 14:45:45 -04:00
qt1010_priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
qt1010.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
qt1010.h media: media tuner headers: fix kernel-doc warnings 2021-03-22 10:24:27 +01:00
r820t.c media: Print chip type explicitly when loading the Rafael Micro r820t module 2021-12-07 11:29:57 +01:00
r820t.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1 2019-05-21 11:28:39 +02:00
si2157_priv.h media: si2157: add ATV support for si2158 2021-12-14 16:19:05 +01:00
si2157.c media: Switch i2c drivers back to use .probe() 2023-05-25 16:21:21 +02:00
si2157.h media: si2157: Add option for not downloading firmware. 2019-10-10 07:07:14 -03:00
tda827x.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
tda827x.h media: media tuner headers: fix kernel-doc warnings 2021-03-22 10:24:27 +01:00
tda8290.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
tda8290.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
tda9887.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
tda9887.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
tda18212.c media: Switch i2c drivers back to use .probe() 2023-05-25 16:21:21 +02:00
tda18212.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1 2019-05-21 11:28:39 +02:00
tda18218_priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
tda18218.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
tda18218.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
tda18250_priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
tda18250.c media: Switch i2c drivers back to use .probe() 2023-05-25 16:21:21 +02:00
tda18250.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
tda18271-common.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
tda18271-fe.c media: Use fallthrough pseudo-keyword 2020-08-29 08:35:27 +02:00
tda18271-maps.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
tda18271-priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
tda18271.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
tea5761.c MAINTAINERS & files: Canonize the e-mails I use at files 2018-05-04 06:21:06 -04:00
tea5761.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
tea5767.c MAINTAINERS & files: Canonize the e-mails I use at files 2018-05-04 06:21:06 -04:00
tea5767.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
tua9001_priv.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
tua9001.c media: Switch i2c drivers back to use .probe() 2023-05-25 16:21:21 +02:00
tua9001.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
tuner-i2c.h media: tuners: fix error return code of hybrid_tuner_request_state() 2021-03-22 10:21:03 +01:00
tuner-simple.c media: tuner-simple: fix regression in simple_set_radio_freq 2020-08-26 18:51:50 +02:00
tuner-simple.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
tuner-types.c media: xc2028: rename the driver from tuner-xc2028 2022-03-12 16:59:50 +01:00
xc2028-types.h media: xc2028: rename the driver from tuner-xc2028 2022-03-12 16:59:50 +01:00
xc2028.c media: xc2028: avoid use-after-free in load_firmware_cb() 2024-08-14 13:58:46 +02:00
xc2028.h media: xc2028: rename the driver from tuner-xc2028 2022-03-12 16:59:50 +01:00
xc4000.c media: xc4000: Fix atomicity violation in xc4000_get_frequency 2024-04-03 15:28:17 +02:00
xc4000.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
xc5000.c media: dvb: symbol fixup for dvb_attach() 2023-09-09 08:15:11 +01:00
xc5000.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00