mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-29 23:53:32 +00:00
5b28dde51d
When driver unbinds while media_ioctl is in progress, cdev_put() fails with when app exits after driver unbinds. Add devnode struct device kobj as the cdev parent kobject. cdev_add() gets a reference to it and releases it in cdev_del() ensuring that the devnode is not deallocated as long as the application has the device file open. media_devnode_register() initializes the struct device kobj before calling cdev_add(). media_devnode_unregister() does cdev_del() and then deletes the device. devnode is released when the last reference to the struct device is gone. This problem is found on uvcvideo, em28xx, and au0828 drivers and fix has been tested on all three. kernel: [ 193.599736] BUG: KASAN: use-after-free in cdev_put+0x4e/0x50 kernel: [ 193.599745] Read of size 8 by task media_device_te/1851 kernel: [ 193.599792] INFO: Allocated in __media_device_register+0x54 kernel: [ 193.599951] INFO: Freed in media_devnode_release+0xa4/0xc0 kernel: [ 193.601083] Call Trace: kernel: [ 193.601093] [<ffffffff81aecac3>] dump_stack+0x67/0x94 kernel: [ 193.601102] [<ffffffff815359b2>] print_trailer+0x112/0x1a0 kernel: [ 193.601111] [<ffffffff8153b5e4>] object_err+0x34/0x40 kernel: [ 193.601119] [<ffffffff8153d9d4>] kasan_report_error+0x224/0x530 kernel: [ 193.601128] [<ffffffff814a2c3d>] ? kzfree+0x2d/0x40 kernel: [ 193.601137] [<ffffffff81539d72>] ? kfree+0x1d2/0x1f0 kernel: [ 193.601154] [<ffffffff8157ca7e>] ? cdev_put+0x4e/0x50 kernel: [ 193.601162] [<ffffffff8157ca7e>] cdev_put+0x4e/0x50 kernel: [ 193.601170] [<ffffffff815767eb>] __fput+0x52b/0x6c0 kernel: [ 193.601179] [<ffffffff8117743a>] ? switch_task_namespaces+0x2a kernel: [ 193.601188] [<ffffffff815769ee>] ____fput+0xe/0x10 kernel: [ 193.601196] [<ffffffff81170023>] task_work_run+0x133/0x1f0 kernel: [ 193.601204] [<ffffffff8117746e>] ? switch_task_namespaces+0x5e kernel: [ 193.601213] [<ffffffff8111b50c>] do_exit+0x72c/0x2c20 kernel: [ 193.601224] [<ffffffff8111ade0>] ? release_task+0x1250/0x1250 - - - kernel: [ 193.601360] [<ffffffff81003587>] ? exit_to_usermode_loop+0xe7 kernel: [ 193.601368] [<ffffffff810035c0>] exit_to_usermode_loop+0x120 kernel: [ 193.601376] [<ffffffff810061da>] syscall_return_slowpath+0x16a kernel: [ 193.601386] [<ffffffff82848b33>] entry_SYSCALL_64_fastpath+0xa6 Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
342 lines
8.9 KiB
C
342 lines
8.9 KiB
C
/*
|
|
* Media device node
|
|
*
|
|
* Copyright (C) 2010 Nokia Corporation
|
|
*
|
|
* Based on drivers/media/video/v4l2_dev.c code authored by
|
|
* Mauro Carvalho Chehab <mchehab@infradead.org> (version 2)
|
|
* Alan Cox, <alan@lxorguk.ukuu.org.uk> (version 1)
|
|
*
|
|
* Contacts: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
|
|
* Sakari Ailus <sakari.ailus@iki.fi>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*
|
|
* --
|
|
*
|
|
* Generic media device node infrastructure to register and unregister
|
|
* character devices using a dynamic major number and proper reference
|
|
* counting.
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#include <linux/errno.h>
|
|
#include <linux/init.h>
|
|
#include <linux/module.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/kmod.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/string.h>
|
|
#include <linux/types.h>
|
|
#include <linux/uaccess.h>
|
|
|
|
#include <media/media-devnode.h>
|
|
#include <media/media-device.h>
|
|
|
|
#define MEDIA_NUM_DEVICES 256
|
|
#define MEDIA_NAME "media"
|
|
|
|
static dev_t media_dev_t;
|
|
|
|
/*
|
|
* Active devices
|
|
*/
|
|
static DEFINE_MUTEX(media_devnode_lock);
|
|
static DECLARE_BITMAP(media_devnode_nums, MEDIA_NUM_DEVICES);
|
|
|
|
/* Called when the last user of the media device exits. */
|
|
static void media_devnode_release(struct device *cd)
|
|
{
|
|
struct media_devnode *devnode = to_media_devnode(cd);
|
|
|
|
mutex_lock(&media_devnode_lock);
|
|
/* Mark device node number as free */
|
|
clear_bit(devnode->minor, media_devnode_nums);
|
|
mutex_unlock(&media_devnode_lock);
|
|
|
|
/* Release media_devnode and perform other cleanups as needed. */
|
|
if (devnode->release)
|
|
devnode->release(devnode);
|
|
|
|
kfree(devnode);
|
|
pr_debug("%s: Media Devnode Deallocated\n", __func__);
|
|
}
|
|
|
|
static struct bus_type media_bus_type = {
|
|
.name = MEDIA_NAME,
|
|
};
|
|
|
|
static ssize_t media_read(struct file *filp, char __user *buf,
|
|
size_t sz, loff_t *off)
|
|
{
|
|
struct media_devnode *devnode = media_devnode_data(filp);
|
|
|
|
if (!devnode->fops->read)
|
|
return -EINVAL;
|
|
if (!media_devnode_is_registered(devnode))
|
|
return -EIO;
|
|
return devnode->fops->read(filp, buf, sz, off);
|
|
}
|
|
|
|
static ssize_t media_write(struct file *filp, const char __user *buf,
|
|
size_t sz, loff_t *off)
|
|
{
|
|
struct media_devnode *devnode = media_devnode_data(filp);
|
|
|
|
if (!devnode->fops->write)
|
|
return -EINVAL;
|
|
if (!media_devnode_is_registered(devnode))
|
|
return -EIO;
|
|
return devnode->fops->write(filp, buf, sz, off);
|
|
}
|
|
|
|
static unsigned int media_poll(struct file *filp,
|
|
struct poll_table_struct *poll)
|
|
{
|
|
struct media_devnode *devnode = media_devnode_data(filp);
|
|
|
|
if (!media_devnode_is_registered(devnode))
|
|
return POLLERR | POLLHUP;
|
|
if (!devnode->fops->poll)
|
|
return DEFAULT_POLLMASK;
|
|
return devnode->fops->poll(filp, poll);
|
|
}
|
|
|
|
static long
|
|
__media_ioctl(struct file *filp, unsigned int cmd, unsigned long arg,
|
|
long (*ioctl_func)(struct file *filp, unsigned int cmd,
|
|
unsigned long arg))
|
|
{
|
|
struct media_devnode *devnode = media_devnode_data(filp);
|
|
|
|
if (!ioctl_func)
|
|
return -ENOTTY;
|
|
|
|
if (!media_devnode_is_registered(devnode))
|
|
return -EIO;
|
|
|
|
return ioctl_func(filp, cmd, arg);
|
|
}
|
|
|
|
static long media_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|
{
|
|
struct media_devnode *devnode = media_devnode_data(filp);
|
|
|
|
return __media_ioctl(filp, cmd, arg, devnode->fops->ioctl);
|
|
}
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
static long media_compat_ioctl(struct file *filp, unsigned int cmd,
|
|
unsigned long arg)
|
|
{
|
|
struct media_devnode *devnode = media_devnode_data(filp);
|
|
|
|
return __media_ioctl(filp, cmd, arg, devnode->fops->compat_ioctl);
|
|
}
|
|
|
|
#endif /* CONFIG_COMPAT */
|
|
|
|
/* Override for the open function */
|
|
static int media_open(struct inode *inode, struct file *filp)
|
|
{
|
|
struct media_devnode *devnode;
|
|
int ret;
|
|
|
|
/* Check if the media device is available. This needs to be done with
|
|
* the media_devnode_lock held to prevent an open/unregister race:
|
|
* without the lock, the device could be unregistered and freed between
|
|
* the media_devnode_is_registered() and get_device() calls, leading to
|
|
* a crash.
|
|
*/
|
|
mutex_lock(&media_devnode_lock);
|
|
devnode = container_of(inode->i_cdev, struct media_devnode, cdev);
|
|
/* return ENXIO if the media device has been removed
|
|
already or if it is not registered anymore. */
|
|
if (!media_devnode_is_registered(devnode)) {
|
|
mutex_unlock(&media_devnode_lock);
|
|
return -ENXIO;
|
|
}
|
|
/* and increase the device refcount */
|
|
get_device(&devnode->dev);
|
|
mutex_unlock(&media_devnode_lock);
|
|
|
|
filp->private_data = devnode;
|
|
|
|
if (devnode->fops->open) {
|
|
ret = devnode->fops->open(filp);
|
|
if (ret) {
|
|
put_device(&devnode->dev);
|
|
filp->private_data = NULL;
|
|
return ret;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* Override for the release function */
|
|
static int media_release(struct inode *inode, struct file *filp)
|
|
{
|
|
struct media_devnode *devnode = media_devnode_data(filp);
|
|
|
|
if (devnode->fops->release)
|
|
devnode->fops->release(filp);
|
|
|
|
filp->private_data = NULL;
|
|
|
|
/* decrease the refcount unconditionally since the release()
|
|
return value is ignored. */
|
|
put_device(&devnode->dev);
|
|
|
|
pr_debug("%s: Media Release\n", __func__);
|
|
return 0;
|
|
}
|
|
|
|
static const struct file_operations media_devnode_fops = {
|
|
.owner = THIS_MODULE,
|
|
.read = media_read,
|
|
.write = media_write,
|
|
.open = media_open,
|
|
.unlocked_ioctl = media_ioctl,
|
|
#ifdef CONFIG_COMPAT
|
|
.compat_ioctl = media_compat_ioctl,
|
|
#endif /* CONFIG_COMPAT */
|
|
.release = media_release,
|
|
.poll = media_poll,
|
|
.llseek = no_llseek,
|
|
};
|
|
|
|
int __must_check media_devnode_register(struct media_device *mdev,
|
|
struct media_devnode *devnode,
|
|
struct module *owner)
|
|
{
|
|
int minor;
|
|
int ret;
|
|
|
|
/* Part 1: Find a free minor number */
|
|
mutex_lock(&media_devnode_lock);
|
|
minor = find_next_zero_bit(media_devnode_nums, MEDIA_NUM_DEVICES, 0);
|
|
if (minor == MEDIA_NUM_DEVICES) {
|
|
mutex_unlock(&media_devnode_lock);
|
|
pr_err("could not get a free minor\n");
|
|
kfree(devnode);
|
|
return -ENFILE;
|
|
}
|
|
|
|
set_bit(minor, media_devnode_nums);
|
|
mutex_unlock(&media_devnode_lock);
|
|
|
|
devnode->minor = minor;
|
|
devnode->media_dev = mdev;
|
|
|
|
/* Part 1: Initialize dev now to use dev.kobj for cdev.kobj.parent */
|
|
devnode->dev.bus = &media_bus_type;
|
|
devnode->dev.devt = MKDEV(MAJOR(media_dev_t), devnode->minor);
|
|
devnode->dev.release = media_devnode_release;
|
|
if (devnode->parent)
|
|
devnode->dev.parent = devnode->parent;
|
|
dev_set_name(&devnode->dev, "media%d", devnode->minor);
|
|
device_initialize(&devnode->dev);
|
|
|
|
/* Part 2: Initialize and register the character device */
|
|
cdev_init(&devnode->cdev, &media_devnode_fops);
|
|
devnode->cdev.owner = owner;
|
|
devnode->cdev.kobj.parent = &devnode->dev.kobj;
|
|
|
|
ret = cdev_add(&devnode->cdev, MKDEV(MAJOR(media_dev_t), devnode->minor), 1);
|
|
if (ret < 0) {
|
|
pr_err("%s: cdev_add failed\n", __func__);
|
|
goto cdev_add_error;
|
|
}
|
|
|
|
/* Part 3: Add the media device */
|
|
ret = device_add(&devnode->dev);
|
|
if (ret < 0) {
|
|
pr_err("%s: device_add failed\n", __func__);
|
|
goto device_add_error;
|
|
}
|
|
|
|
/* Part 4: Activate this minor. The char device can now be used. */
|
|
set_bit(MEDIA_FLAG_REGISTERED, &devnode->flags);
|
|
|
|
return 0;
|
|
|
|
device_add_error:
|
|
cdev_del(&devnode->cdev);
|
|
cdev_add_error:
|
|
mutex_lock(&media_devnode_lock);
|
|
clear_bit(devnode->minor, media_devnode_nums);
|
|
devnode->media_dev = NULL;
|
|
mutex_unlock(&media_devnode_lock);
|
|
|
|
put_device(&devnode->dev);
|
|
return ret;
|
|
}
|
|
|
|
void media_devnode_unregister(struct media_devnode *devnode)
|
|
{
|
|
/* Check if devnode was ever registered at all */
|
|
if (!media_devnode_is_registered(devnode))
|
|
return;
|
|
|
|
mutex_lock(&media_devnode_lock);
|
|
clear_bit(MEDIA_FLAG_REGISTERED, &devnode->flags);
|
|
/* Delete the cdev on this minor as well */
|
|
cdev_del(&devnode->cdev);
|
|
mutex_unlock(&media_devnode_lock);
|
|
device_del(&devnode->dev);
|
|
devnode->media_dev = NULL;
|
|
put_device(&devnode->dev);
|
|
}
|
|
|
|
/*
|
|
* Initialise media for linux
|
|
*/
|
|
static int __init media_devnode_init(void)
|
|
{
|
|
int ret;
|
|
|
|
pr_info("Linux media interface: v0.10\n");
|
|
ret = alloc_chrdev_region(&media_dev_t, 0, MEDIA_NUM_DEVICES,
|
|
MEDIA_NAME);
|
|
if (ret < 0) {
|
|
pr_warn("unable to allocate major\n");
|
|
return ret;
|
|
}
|
|
|
|
ret = bus_register(&media_bus_type);
|
|
if (ret < 0) {
|
|
unregister_chrdev_region(media_dev_t, MEDIA_NUM_DEVICES);
|
|
pr_warn("bus_register failed\n");
|
|
return -EIO;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void __exit media_devnode_exit(void)
|
|
{
|
|
bus_unregister(&media_bus_type);
|
|
unregister_chrdev_region(media_dev_t, MEDIA_NUM_DEVICES);
|
|
}
|
|
|
|
subsys_initcall(media_devnode_init);
|
|
module_exit(media_devnode_exit)
|
|
|
|
MODULE_AUTHOR("Laurent Pinchart <laurent.pinchart@ideasonboard.com>");
|
|
MODULE_DESCRIPTION("Device node registration for media drivers");
|
|
MODULE_LICENSE("GPL");
|