From patchwork Thu Oct 26 10:18:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Uwe_Kleine-K=C3=B6nig?= X-Patchwork-Id: 13437454 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0AC06C25B72 for ; Thu, 26 Oct 2023 10:19:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=7k5cFn/cVSTk6TXiyrKbgJ3nhPABnBRYZl2eF3mef3A=; b=1Jbw2+3uDI/U3v 5Nf0kE5yEMYb/mleQhbHCYv5mHPcsgLXdYgdM8TnbKtGRWg/rapTSNN7W+r+4X/YV24IZ8BdZecsS Wg2gyYJpXaDeAIBbAy6Nb39Meut3/ekVOk7braZ0r5Dtr6lDELw/x2XKd6qMvHSqbB+GAsWo6D8IU UYx6w+0Ld0lE22lqKeRVstOhLFz5f57mXN/d/RjiukCDoFekfmPcA5vu4X0y4GasgSjlpmjpdLWLh wJZcy1ArXIkeezEczfZ1HYoGK7AnZlSZ+57disdu33T/WA9YgRbMI0vc7SbG+lo7K55qWDyWyonTt q1ojPDkNYknv2A2fMxyA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qvxRt-00E9be-2p; Thu, 26 Oct 2023 10:18:45 +0000 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qvxRp-00E9XN-0R for linux-amlogic@lists.infradead.org; Thu, 26 Oct 2023 10:18:42 +0000 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qvxRc-0002ne-A9; Thu, 26 Oct 2023 12:18:28 +0200 Received: from [2a0a:edc0:0:900:1d::77] (helo=ptz.office.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qvxRb-004O1r-MA; Thu, 26 Oct 2023 12:18:27 +0200 Received: from ukl by ptz.office.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from ) id 1qvxRb-006XTv-CZ; Thu, 26 Oct 2023 12:18:27 +0200 From: =?utf-8?q?Uwe_Kleine-K=C3=B6nig?= To: Sean Young , Mauro Carvalho Chehab , Neil Armstrong , Kevin Hilman Cc: Jerome Brunet , Martin Blumenstingl , linux-media@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-amlogic@lists.infradead.org, kernel@pengutronix.de Subject: [PATCH 0/3] media: meson-ir-tx: Some cleanups and simplifications and a bug report Date: Thu, 26 Oct 2023 12:18:17 +0200 Message-ID: <20231026101816.2460464-5-u.kleine-koenig@pengutronix.de> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1494; i=u.kleine-koenig@pengutronix.de; h=from:subject; bh=9f95QupmDD1wCm7me2TiK83K9AHR9two7YFf8SXT3Lk=; b=owEBbQGS/pANAwAKAY+A+1h9Ev5OAcsmYgBlOjzppXk2Qm28MOi8I8DIbnpCyB0ZQI6nNu1X6 En+p/8ahWyJATMEAAEKAB0WIQQ/gaxpOnoeWYmt/tOPgPtYfRL+TgUCZTo86QAKCRCPgPtYfRL+ TgbDCACp6GwotsK5vjw8THZ109ikr4W8XvR9oyGGiiwISHzYpCWo+fg6QYTUw5jS9tCsTgMVPW9 LVWFj1dBvnEfSclJpBv1x1/uVkhn/B7aCHChSghEXTSDrDIvbr27pc4Eseeqm3T4qn+x8Qx1uha icJv0cBWx4Mj7TmFmif+Q2kTiMD0yQNFVSFjOxlSMUmfIHtr9yCsbWKs3mzn0pMhAJ+meRog9Ji Kdv8shj4rIW0wlaaRArqfmofgKsq9LqKElPtUhKeyKYhA4GEPSAPZ/meSKQtxpK5vB6u6JEZyCI 09E3Bi2/StZTqxx7MV4KOPTP9IoxmpfPTe1uj3Gyo6gPsvtT X-Developer-Key: i=u.kleine-koenig@pengutronix.de; a=openpgp; fpr=0D2511F322BFAB1C1580266BE2DCDD9132669BD6 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: ukl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-amlogic@lists.infradead.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231026_031841_175295_A339C12D X-CRM114-Status: GOOD ( 11.89 ) X-BeenThere: linux-amlogic@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-amlogic" Errors-To: linux-amlogic-bounces+linux-amlogic=archiver.kernel.org@lists.infradead.org Hello, while looking around for drivers still using platform_driver_probe() I found the meson-ir-tx driver. While looking at it I identified a few patch opportunities. I think the driver might be used to trigger a use after free problem that is caused by the ir core. With my current understanding the following is possible: 1) open the ir device and keep it open 2) unbind the meson-ir-tx device 3) trigger calling .tx_ir = meson_irtx_transmit using the opened device using write() 2) can be done using sysfs or (maybe) by module unloading. The result is that the memory pointed to by ir is freed and the register mapping goes away. Even meson_irtx_transmit() might disappear then. Calling meson_irtx_transmit() then yields all kind of fun. I didn't debug in detail so I might miss something. To fix that you have to make sure that the callbacks don't get called any more once the rc device is unregistered (and track that information in memory that doesn't go away with the parent device's remove callback completing). Best regards Uwe Uwe Kleine-König (3): media: meson-ir-tx: Convert to use devm_rc_register_device() media: meson-ir-tx: Simplify and improve using dev_err_probe() media: meson-ir-tx: Drop usage of platform_driver_probe() drivers/media/rc/meson-ir-tx.c | 34 ++++++++++------------------------ 1 file changed, 10 insertions(+), 24 deletions(-) base-commit: 0bb80ecc33a8fb5a682236443c1e740d5c917d1d