linux-stable/drivers/media
Max Kellermann 1f862a68df [media] dvb_frontend: move kref to struct dvb_frontend
This commit amends my old commit fe35637b0a ("[media] dvb_frontend:
eliminate blocking wait in dvb_unregister_frontend()"), which added
kref to struct dvb_frontend_private.  It turned out that there are
several use-after-free bugs left, which affect the struct
dvb_frontend.  Protecting it with kref also protects struct
dvb_frontend_private, so we can simply move it.

This is how the use-after-free looks like in KASAN:

    BUG: KASAN: use-after-free in string+0x60/0xb1 at addr ffff880033bd9fc0
    Read of size 1 by task kworker/0:2/617
    CPU: 0 PID: 617 Comm: kworker/0:2 Not tainted 4.8.0-rc1-hosting+ #60
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    Workqueue: usb_hub_wq hub_event
     0000000000000000 ffff880033757218 ffffffff81394e50 ffff880033bd9fd0
     ffff880035c03b00 ffff880033757240 ffffffff811f271d ffff880033bd9fc0
     1ffff1000677b3f8 ffffed000677b3f8 ffff8800337572b8 ffffffff811f2afe
    Call Trace:
     [...]
     [<ffffffff813a2d2f>] vsnprintf+0x39d/0x7e9
     [<ffffffff813993f9>] add_uevent_var+0x10f/0x1dc
     [<ffffffff814fe5ca>] rc_dev_uevent+0x55/0x6f
     [<ffffffff814438f8>] dev_uevent+0x2e1/0x316
     [<ffffffff81399744>] kobject_uevent_env+0x27e/0x701
     [<ffffffff81399bd2>] kobject_uevent+0xb/0xd
     [<ffffffff81443445>] device_del+0x322/0x383
     [<ffffffff81500c0c>] rc_unregister_device+0x98/0xc3
     [<ffffffff81508fb4>] dvb_usb_remote_exit+0x7a/0x90
     [<ffffffff81506157>] dvb_usb_exit+0x1d/0xe5
     [<ffffffff81506e90>] dvb_usb_device_exit+0x69/0x7d
     [<ffffffff8150a181>] pctv452e_usb_disconnect+0x7b/0x80
     [...]
    Object at ffff880033bd9fc0, in cache kmalloc-16 size: 16
    Allocated:
     [...]
    Freed:
    PID = 617
     [...]
     [<ffffffff811f034c>] kfree+0xd9/0x166
     [<ffffffff814fe513>] ir_free_table+0x2f/0x51
     [<ffffffff81500bc1>] rc_unregister_device+0x4d/0xc3
     [<ffffffff81508fb4>] dvb_usb_remote_exit+0x7a/0x90
     [<ffffffff81506157>] dvb_usb_exit+0x1d/0xe5
     [<ffffffff81506e90>] dvb_usb_device_exit+0x69/0x7d
     [<ffffffff8150a181>] pctv452e_usb_disconnect+0x7b/0x80

Another one:

    BUG: KASAN: use-after-free in do_sys_poll+0x336/0x6b8 at addr ffff88003563fcc0
    Read of size 8 by task tuner on fronte/1042
    CPU: 1 PID: 1042 Comm: tuner on fronte Tainted: G    B           4.8.0-rc1-hosting+ #60
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
     0000000000000000 ffff88003353f910 ffffffff81394e50 ffff88003563fd80
     ffff880035c03200 ffff88003353f938 ffffffff811f271d ffff88003563fc80
     1ffff10006ac7f98 ffffed0006ac7f98 ffff88003353f9b0 ffffffff811f2afe
    Call Trace:
     [...]
     [<ffffffff812289b3>] do_sys_poll+0x336/0x6b8
     [...]
     [<ffffffff81228ed9>] SyS_poll+0xa9/0x194
     [...]
    Object at ffff88003563fc80, in cache kmalloc-256 size: 256
    Allocated:
     [...]
    Freed:
    PID = 617
     [...]
     [<ffffffff811f034c>] kfree+0xd9/0x166
     [<ffffffff814eb60d>] dvb_unregister_device+0xd6/0xe5
     [<ffffffff814fa4ed>] dvb_unregister_frontend+0x4b/0x66
     [<ffffffff8150810b>] dvb_usb_adapter_frontend_exit+0x69/0xac
     [<ffffffff8150617d>] dvb_usb_exit+0x43/0xe5
     [<ffffffff81506e90>] dvb_usb_device_exit+0x69/0x7d
     [<ffffffff8150a181>] pctv452e_usb_disconnect+0x7b/0x80

Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-11-18 15:13:22 -02:00
..
cec [media] cec: zero counters in cec_received_msg() 2016-11-16 15:49:01 -02:00
common [media] dvb: make DVB frontend *_ops instances "const" 2016-11-18 15:00:22 -02:00
dvb-core [media] dvb_frontend: move kref to struct dvb_frontend 2016-11-18 15:13:22 -02:00
dvb-frontends [media] stb0899: move code to "detach" callback 2016-11-18 15:10:41 -02:00
firewire [media] firewire: don't break long lines 2016-10-21 10:06:00 -02:00
i2c [media] tvp5150: get rid of KERN_CONT 2016-11-18 10:11:09 -02:00
mmc
pci [media] dvb: make DVB frontend *_ops instances "const" 2016-11-18 15:00:22 -02:00
platform [media] media: platform: ti-vpe: call of_node_put on non-null pointer 2016-11-18 14:23:33 -02:00
radio [media] wl128x: use KERNEL_CONT where needed 2016-11-18 09:37:24 -02:00
rc [media] rc-main: clear rc_map.name in ir_free_table() 2016-11-18 14:31:34 -02:00
spi [media] gs1662: drop kfree for memory allocated with devm_kzalloc 2016-10-24 17:59:08 -02:00
tuners [media] dvb_frontend: tuner_ops.release returns void 2016-11-18 15:07:26 -02:00
usb [media] dvb_frontend: tuner_ops.release returns void 2016-11-18 15:07:26 -02:00
v4l2-core [media] tuner-core: use pr_foo, instead of internal printk macros 2016-11-18 10:04:28 -02:00
cec-edid.c [media] cec-edid: check for IEEE identifier 2016-08-22 14:04:51 -03:00
Kconfig [media] cec: move the CEC framework out of staging and to media 2016-11-16 15:40:20 -02:00
Makefile [media] cec: move the CEC framework out of staging and to media 2016-11-16 15:40:20 -02:00
media-device.c [media] media: Add flags to tell whether to take graph mutex for an IOCTL 2016-09-22 10:28:40 -03:00
media-devnode.c [media] media: fix media devnode ioctl/syscall and unregister race 2016-06-15 17:59:28 -03:00
media-entity.c [media] media: Move media_device link_notify operation to an ops structure 2016-09-09 11:20:09 -03:00