From patchwork Tue Nov 15 13:18:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: V4bel X-Patchwork-Id: 13043679 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1972C43219 for ; Tue, 15 Nov 2022 13:19:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231960AbiKONTh (ORCPT ); Tue, 15 Nov 2022 08:19:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50592 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230293AbiKONTg (ORCPT ); Tue, 15 Nov 2022 08:19:36 -0500 Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B969DF65; Tue, 15 Nov 2022 05:19:35 -0800 (PST) Received: by mail-pj1-x1035.google.com with SMTP id m14-20020a17090a3f8e00b00212dab39bcdso16908487pjc.0; Tue, 15 Nov 2022 05:19:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cBch5pppd+NX8gkS8T84g9RR1lHCjzx5GtDgMJO1iaw=; b=j+zyidicxNMuoreIHpzOzgdqjpk2MO+3Sz72gVDtkrgHS6SU/aInCILnhfk3O/eROP Ie2C6wvZn9nH5tTQiyVQUWn93rj07BWVhHooPx9JqIv7tlWnXsvaUh1wNj5+r9YVTprZ C7i6yylOoWpIs6t/ssY95MZff8UMu1iOzZk+GWwukwmymRcQCnZPYny/6vXdTXoM2w83 LWbX7MToIhu1Zx/Lbp/nzf5HcKco/9G2VIHFg+HdAZqh7nI/QhSmbvpMRnk8sFHaN7Th CnAgq5JtVVnnx6z+S5o5VqeIjfyzKrtdJp+3q23yyifAyUIsupqhyFE+MAG2wbqkm7fp RD/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cBch5pppd+NX8gkS8T84g9RR1lHCjzx5GtDgMJO1iaw=; b=TuJtH2iIF7D3vrOUxCtzJQMl720fG0AodbI95NrVFERAKu27Dj6Grg0W6+jMpjabdA JM8M3ABesQJ9XZ/8qF71+8Jsx7yTkBbbQPq/esye58HUFQMZ3vmsS6Xn3FVubC+DnJP7 OO857TbxtRG7E5Z+/j0PlIBDwSFaQg5+Cl24BWfX1rHWqIiPAKKjK5tkuQmn8lbFR2dH w9b00mbM/PwLJma6B2z1HD2NS9AlPj2MvXxA0ktb/fRaVxx7iUCik8yyxaYQc40RWRK7 JM859JziMhiS0jKM/UxJEnoljXcvj/TS6yC7WUjxziRkMGoed9JOJlhf2UVfQ6hucRnf /TIA== X-Gm-Message-State: ANoB5pmib0pWxDRNSPvmEPOgNABaHFNgqgqZMPWjogTBhVplBunhmmvu GRE1t7rSWbzwVmJEgJ2w9YRy4OEPVOk= X-Google-Smtp-Source: AA0mqf5Hd3blaDODWXpuIBaH6HpCKjIxSvinF2iCXvbftYP9YbUjg3gR+LiZbqNEz56GanLaSKkFHA== X-Received: by 2002:a17:90a:13:b0:213:cb87:8cd4 with SMTP id 19-20020a17090a001300b00213cb878cd4mr2282282pja.78.1668518374993; Tue, 15 Nov 2022 05:19:34 -0800 (PST) Received: from localhost.localdomain ([175.124.254.119]) by smtp.gmail.com with ESMTPSA id i24-20020aa796f8000000b00562784609fbsm8670937pfq.209.2022.11.15.05.19.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Nov 2022 05:19:34 -0800 (PST) From: imv4bel@gmail.com To: mchehab@kernel.org Cc: Hyunwoo Kim , kernel@tuxforce.de, linux-media@vger.kernel.org, linux-usb@vger.kernel.org, cai.huoqing@linux.dev, tiwai@suse.de Subject: [PATCH 1/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_frontend Date: Tue, 15 Nov 2022 05:18:19 -0800 Message-Id: <20221115131822.6640-2-imv4bel@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221115131822.6640-1-imv4bel@gmail.com> References: <20221115131822.6640-1-imv4bel@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org From: Hyunwoo Kim If the device node of dvb_frontend is open() and the device is disconnected, many kinds of UAFs may occur when calling close() on the device node. The root cause of this is that wake_up() for dvbdev->wait_queue is implemented in the dvb_frontend_release() function, but wait_event() is not implemented in the dvb_frontend_stop() function. So, implement wait_event() function in dvb_frontend_stop() and add 'remove_mutex' which prevents race condition for 'fe->exit'. Signed-off-by: Hyunwoo Kim --- drivers/media/dvb-core/dvb_frontend.c | 39 +++++++++++++++++++++++---- include/media/dvb_frontend.h | 6 ++++- 2 files changed, 39 insertions(+), 6 deletions(-) diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c index 48e735cdbe6b..b3556e3580c6 100644 --- a/drivers/media/dvb-core/dvb_frontend.c +++ b/drivers/media/dvb-core/dvb_frontend.c @@ -809,6 +809,8 @@ static void dvb_frontend_stop(struct dvb_frontend *fe) dev_dbg(fe->dvb->device, "%s:\n", __func__); + mutex_lock(&fe->remove_mutex); + if (fe->exit != DVB_FE_DEVICE_REMOVED) fe->exit = DVB_FE_NORMAL_EXIT; mb(); @@ -818,6 +820,13 @@ static void dvb_frontend_stop(struct dvb_frontend *fe) kthread_stop(fepriv->thread); + mutex_unlock(&fe->remove_mutex); + + if (fepriv->dvbdev->users < -1) { + wait_event(fepriv->dvbdev->wait_queue, + fepriv->dvbdev->users == -1); + } + sema_init(&fepriv->sem, 1); fepriv->state = FESTATE_IDLE; @@ -2750,9 +2759,13 @@ static int dvb_frontend_open(struct inode *inode, struct file *file) struct dvb_adapter *adapter = fe->dvb; int ret; + mutex_lock(&fe->remove_mutex); + dev_dbg(fe->dvb->device, "%s:\n", __func__); - if (fe->exit == DVB_FE_DEVICE_REMOVED) + if (fe->exit == DVB_FE_DEVICE_REMOVED) { + mutex_unlock(&fe->remove_mutex); return -ENODEV; + } if (adapter->mfe_shared) { mutex_lock(&adapter->mfe_lock); @@ -2773,8 +2786,10 @@ static int dvb_frontend_open(struct inode *inode, struct file *file) while (mferetry-- && (mfedev->users != -1 || mfepriv->thread)) { if (msleep_interruptible(500)) { - if (signal_pending(current)) + if (signal_pending(current)) { + mutex_unlock(&fe->remove_mutex); return -EINTR; + } } } @@ -2786,6 +2801,7 @@ static int dvb_frontend_open(struct inode *inode, struct file *file) if (mfedev->users != -1 || mfepriv->thread) { mutex_unlock(&adapter->mfe_lock); + mutex_unlock(&fe->remove_mutex); return -EBUSY; } adapter->mfe_dvbdev = dvbdev; @@ -2845,6 +2861,8 @@ static int dvb_frontend_open(struct inode *inode, struct file *file) if (adapter->mfe_shared) mutex_unlock(&adapter->mfe_lock); + + mutex_unlock(&fe->remove_mutex); return ret; err3: @@ -2866,6 +2884,8 @@ static int dvb_frontend_open(struct inode *inode, struct file *file) err0: if (adapter->mfe_shared) mutex_unlock(&adapter->mfe_lock); + + mutex_unlock(&fe->remove_mutex); return ret; } @@ -2876,6 +2896,8 @@ static int dvb_frontend_release(struct inode *inode, struct file *file) struct dvb_frontend_private *fepriv = fe->frontend_priv; int ret; + mutex_lock(&fe->remove_mutex); + dev_dbg(fe->dvb->device, "%s:\n", __func__); if ((file->f_flags & O_ACCMODE) != O_RDONLY) { @@ -2897,11 +2919,17 @@ static int dvb_frontend_release(struct inode *inode, struct file *file) } mutex_unlock(&fe->dvb->mdev_lock); #endif - if (fe->exit != DVB_FE_NO_EXIT) - wake_up(&dvbdev->wait_queue); if (fe->ops.ts_bus_ctrl) fe->ops.ts_bus_ctrl(fe, 0); - } + + if (fe->exit != DVB_FE_NO_EXIT) { + mutex_unlock(&fe->remove_mutex); + wake_up(&dvbdev->wait_queue); + } else + mutex_unlock(&fe->remove_mutex); + + } else + mutex_unlock(&fe->remove_mutex); dvb_frontend_put(fe); @@ -3000,6 +3028,7 @@ int dvb_register_frontend(struct dvb_adapter *dvb, fepriv = fe->frontend_priv; kref_init(&fe->refcount); + mutex_init(&fe->remove_mutex); /* * After initialization, there need to be two references: one diff --git a/include/media/dvb_frontend.h b/include/media/dvb_frontend.h index e7c44870f20d..411ec32cd8df 100644 --- a/include/media/dvb_frontend.h +++ b/include/media/dvb_frontend.h @@ -686,7 +686,10 @@ struct dtv_frontend_properties { * @id: Frontend ID * @exit: Used to inform the DVB core that the frontend * thread should exit (usually, means that the hardware - * got disconnected. + * got disconnected.) + * @remove_mutex: mutex that avoids a race condition between a callback + * called when the hardware is disconnected and the + * file_operations of dvb_frontend */ struct dvb_frontend { @@ -704,6 +707,7 @@ struct dvb_frontend { int (*callback)(void *adapter_priv, int component, int cmd, int arg); int id; unsigned int exit; + struct mutex remove_mutex; }; /** From patchwork Tue Nov 15 13:18:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: V4bel X-Patchwork-Id: 13043680 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D238C4332F for ; Tue, 15 Nov 2022 13:19:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232718AbiKONTj (ORCPT ); Tue, 15 Nov 2022 08:19:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50618 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230293AbiKONTi (ORCPT ); Tue, 15 Nov 2022 08:19:38 -0500 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18382EE11; Tue, 15 Nov 2022 05:19:37 -0800 (PST) Received: by mail-pl1-x630.google.com with SMTP id w23so6703611ply.12; Tue, 15 Nov 2022 05:19:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=znS0rqqtTDUdb8E5/+tBTInCz3XUVIVDecWR4eZBNxM=; b=MO3aWW9NRD17cN4leJHbToXg2sW3aSkdfndSnZ/uCzd1nN4kkclJVvBX4eLZY1QP/1 03wGuA6/pyRIryXv7gOKPAGDY+XfIwuzoOvKS6gy9zJ5fCiZpc0P5Gn11NLdBAwAoUTv /iE+5TtTODL4+rrkq8+FjSTMlWhIvoLSzDDDPbifSHp+/fMXjspkxyJHVnf38pyn9OMh HlKnD/uZDmdgCgO6pBRw1aF/RioQN9W1TtqPxblAx1EDbbHZrMjK7SwzGtBfZjV6AO0a XfoCPjvxU9IrwTtilI+Czj222gpzlSFAw4a62yJH6t3/gFsmOZLkYswMxUDElZGkpANR qgeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=znS0rqqtTDUdb8E5/+tBTInCz3XUVIVDecWR4eZBNxM=; b=3q7FBn5gZ0DSO8AkdnBDYDuHaGV0GzOlsJ3vM7ZBxdxZZJVq1/FxnHI12VDSL2E+rm Ulu3BR+au5h+MbTfeVe8r1gYu+PaNyibGh+2HhzPRve2l+nbK0MCtNr2/r4ZZ5sphCYl fQGz1BgRpO5cK8vxR5flWOdHDKNtSo/u4NIuff/6S6SBjGWTTZuhk9ECQEcz3ugrjEOg STg1V/AJdnoeMpoOjFnE6osYXsYFtFQvnaqJjzXzvjzvFfS5+iWnouvGnTT8AnJ+GtW4 x+jeTW+wzgWUOwFQuC8cdozwonKAzAxncv3Fg0nUlXJq/mEWpntIGG2m2U1zqv9Di7m/ M6iQ== X-Gm-Message-State: ANoB5pmOVTpvoPdnlYEl8DC30hHvYk8Ud8Zftk3CFiNiunAZCduFyQNN TlAa3wcs7rGw0AYAdEXb7CI= X-Google-Smtp-Source: AA0mqf6q2jIldsOskDuB1kxT1FkBYpPkKIF/eil7zpgEY417WXNDorwUQmdjFMmywA6dbDWvxR4bTA== X-Received: by 2002:a17:902:7d87:b0:176:a6fb:801a with SMTP id a7-20020a1709027d8700b00176a6fb801amr3967672plm.97.1668518377405; Tue, 15 Nov 2022 05:19:37 -0800 (PST) Received: from localhost.localdomain ([175.124.254.119]) by smtp.gmail.com with ESMTPSA id i24-20020aa796f8000000b00562784609fbsm8670937pfq.209.2022.11.15.05.19.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Nov 2022 05:19:37 -0800 (PST) From: imv4bel@gmail.com To: mchehab@kernel.org Cc: Hyunwoo Kim , kernel@tuxforce.de, linux-media@vger.kernel.org, linux-usb@vger.kernel.org, cai.huoqing@linux.dev, tiwai@suse.de Subject: [PATCH 2/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_net Date: Tue, 15 Nov 2022 05:18:20 -0800 Message-Id: <20221115131822.6640-3-imv4bel@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221115131822.6640-1-imv4bel@gmail.com> References: <20221115131822.6640-1-imv4bel@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org From: Hyunwoo Kim A race condition may occur between the .disconnect function, which is called when the device is disconnected, and the dvb_device_open() function, which is called when the device node is open()ed. This results in several types of UAFs. The root cause of this is that you use the dvb_device_open() function, which does not implement a conditional statement that checks 'dvbnet->exit'. So, add 'remove_mutex` to protect 'dvbnet->exit' and use locked_dvb_net_open() function to check 'dvbnet->exit'. Signed-off-by: Hyunwoo Kim --- drivers/media/dvb-core/dvb_net.c | 37 +++++++++++++++++++++++++++++--- include/media/dvb_net.h | 4 ++++ 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c index 8a2febf33ce2..bdfc6609cb93 100644 --- a/drivers/media/dvb-core/dvb_net.c +++ b/drivers/media/dvb-core/dvb_net.c @@ -1564,15 +1564,42 @@ static long dvb_net_ioctl(struct file *file, return dvb_usercopy(file, cmd, arg, dvb_net_do_ioctl); } +static int locked_dvb_net_open(struct inode *inode, struct file *file) +{ + struct dvb_device *dvbdev = file->private_data; + struct dvb_net *dvbnet = dvbdev->priv; + int ret; + + if (mutex_lock_interruptible(&dvbnet->remove_mutex)) + return -ERESTARTSYS; + + if (dvbnet->exit) { + mutex_unlock(&dvbnet->remove_mutex); + return -ENODEV; + } + + ret = dvb_generic_open(inode, file); + + mutex_unlock(&dvbnet->remove_mutex); + + return ret; +} + static int dvb_net_close(struct inode *inode, struct file *file) { struct dvb_device *dvbdev = file->private_data; struct dvb_net *dvbnet = dvbdev->priv; + mutex_lock(&dvbnet->remove_mutex); + dvb_generic_release(inode, file); - if(dvbdev->users == 1 && dvbnet->exit == 1) + if (dvbdev->users == 1 && dvbnet->exit == 1) { + mutex_unlock(&dvbnet->remove_mutex); wake_up(&dvbdev->wait_queue); + } else + mutex_unlock(&dvbnet->remove_mutex); + return 0; } @@ -1580,7 +1607,7 @@ static int dvb_net_close(struct inode *inode, struct file *file) static const struct file_operations dvb_net_fops = { .owner = THIS_MODULE, .unlocked_ioctl = dvb_net_ioctl, - .open = dvb_generic_open, + .open = locked_dvb_net_open, .release = dvb_net_close, .llseek = noop_llseek, }; @@ -1599,10 +1626,13 @@ void dvb_net_release (struct dvb_net *dvbnet) { int i; + mutex_lock(&dvbnet->remove_mutex); dvbnet->exit = 1; + mutex_unlock(&dvbnet->remove_mutex); + if (dvbnet->dvbdev->users < 1) wait_event(dvbnet->dvbdev->wait_queue, - dvbnet->dvbdev->users==1); + dvbnet->dvbdev->users == 1); dvb_unregister_device(dvbnet->dvbdev); @@ -1621,6 +1651,7 @@ int dvb_net_init (struct dvb_adapter *adap, struct dvb_net *dvbnet, int i; mutex_init(&dvbnet->ioctl_mutex); + mutex_init(&dvbnet->remove_mutex); dvbnet->demux = dmx; for (i=0; i X-Patchwork-Id: 13043681 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4334CC433FE for ; Tue, 15 Nov 2022 13:19:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232839AbiKONTm (ORCPT ); Tue, 15 Nov 2022 08:19:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50658 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232235AbiKONTl (ORCPT ); Tue, 15 Nov 2022 08:19:41 -0500 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55B62E0F2; Tue, 15 Nov 2022 05:19:40 -0800 (PST) Received: by mail-pj1-x1030.google.com with SMTP id u8-20020a17090a5e4800b002106dcdd4a0so16898793pji.1; Tue, 15 Nov 2022 05:19:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fR4pDvjd5fSGvFGv8BsWNu5bZa0EAfiIvudMWeeMJIc=; b=jIJHOvBlY/hJCTORa8jYJOwoJDQTaCtXauUKbVA+OGVOBvIDBU2T5ZPfFZ2omrluHH VvCwfUn29gvOk8M8/ByedOVIYSBlUDa7xKtmpHSF3CqlD5G1xF64kPRXwtr/rNkBnaru gPyaJPX45pw+SVrFExk/aBw6FUT2THooxLt2KC2IIgS/dJ2xMsnF0mSPVbtmAKVXeplL W+dzCyJquFStj8+5zMKAXM/bf0v2ovtiMmZAY/FcTw3sEHYlgZexU6LZ8GY1Rrgi5Fmo 5OUChVABGeNFvDWYOpFAcm/0UkQZFqzK/F52DLy59nsaqb3E8p5KuwOGVfDvZ6hTRBCk vtBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fR4pDvjd5fSGvFGv8BsWNu5bZa0EAfiIvudMWeeMJIc=; b=IAtUPzYCbKbVup7ia6R6MLdQ7B1f91hEvSgAtdaT7MBnvksusFJdqJBZr8zZcOSxLS MMeKbrPUKc36/8GfA23Ije4QiMAOlf4gI8K5HN/n5Hx9xbSSAlmnHWo9mq+XWa2Ql2B7 sx3Xpc5KnWsRemRQpKoke3vcEjnqqp5f0qhMxzfDsqq77p5dS20wzLGpNrzMy8JROmqQ bopv13G+O1Rsd/hFc8PPiGmcNIs6Vm8iX303GAskV0peN/C/4A0um+BVK8iqojqJRVfx Gxlf+4e4oF3pD2dQgtnaiwdsNQFwEaF+lXNIN2XKFIGxKQN6QYEAT4xdMbQZ2NCL6Mzo IHMg== X-Gm-Message-State: ANoB5pmlTTMbLkoM+Vq0KGSEpPboxrfuCfZkxdng56ZTJzl1tUVCkMSU B6XLXmyaimDhaGolxeLnpgk= X-Google-Smtp-Source: AA0mqf6kM99b6lZCUBoKHyk1CYBEWka+7ZFBr4KzSUN4MiMIMgozxkEo17Yiec7FWio2SnJSrc3Hpw== X-Received: by 2002:a17:90a:974a:b0:214:9cc:1d2a with SMTP id i10-20020a17090a974a00b0021409cc1d2amr2217149pjw.59.1668518379833; Tue, 15 Nov 2022 05:19:39 -0800 (PST) Received: from localhost.localdomain ([175.124.254.119]) by smtp.gmail.com with ESMTPSA id i24-20020aa796f8000000b00562784609fbsm8670937pfq.209.2022.11.15.05.19.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Nov 2022 05:19:39 -0800 (PST) From: imv4bel@gmail.com To: mchehab@kernel.org Cc: Hyunwoo Kim , kernel@tuxforce.de, linux-media@vger.kernel.org, linux-usb@vger.kernel.org, cai.huoqing@linux.dev, tiwai@suse.de Subject: [PATCH 3/4] media: dvb-core: Fix use-after-free due to race condition occurring in dvb_register_device() Date: Tue, 15 Nov 2022 05:18:21 -0800 Message-Id: <20221115131822.6640-4-imv4bel@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221115131822.6640-1-imv4bel@gmail.com> References: <20221115131822.6640-1-imv4bel@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org From: Hyunwoo Kim dvb_register_device() dynamically allocates fops with kmemdup() to set the fops->owner. And these fops are registered in 'file->f_ops' using replace_fops() in the dvb_device_open() process, and kfree()d in dvb_free_device(). However, it is not common to use dynamically allocated fops instead of 'static const' fops as an argument of replace_fops(), and UAF may occur. These UAFs can occur on any dvb type using dvb_register_device(), such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc. So, instead of kfree() the fops dynamically allocated in dvb_register_device() in dvb_free_device() called during the .disconnect() process, kfree() it collectively in exit_dvbdev() called when the dvbdev.c module is removed. Signed-off-by: Hyunwoo Kim --- drivers/media/dvb-core/dvbdev.c | 83 ++++++++++++++++++++++++--------- include/media/dvbdev.h | 15 ++++++ 2 files changed, 77 insertions(+), 21 deletions(-) diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index 675d877a67b2..424cf92c068e 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -27,6 +27,7 @@ #include static DEFINE_MUTEX(dvbdev_mutex); +static LIST_HEAD(dvbdevfops_list); static int dvbdev_debug; module_param(dvbdev_debug, int, 0644); @@ -448,14 +449,15 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, enum dvb_device_type type, int demux_sink_pads) { struct dvb_device *dvbdev; - struct file_operations *dvbdevfops; + struct file_operations *dvbdevfops = NULL; + struct dvbdevfops_node *node, *new_node; struct device *clsdev; int minor; int id, ret; mutex_lock(&dvbdev_register_lock); - if ((id = dvbdev_get_free_id (adap, type)) < 0){ + if ((id = dvbdev_get_free_id (adap, type)) < 0) { mutex_unlock(&dvbdev_register_lock); *pdvbdev = NULL; pr_err("%s: couldn't find free device id\n", __func__); @@ -463,18 +465,45 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, } *pdvbdev = dvbdev = kzalloc(sizeof(*dvbdev), GFP_KERNEL); - if (!dvbdev){ mutex_unlock(&dvbdev_register_lock); return -ENOMEM; } - dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); + /* + * When a device of the same type is probe()d more than once, + * the first allocated fops are used. This prevents memory leaks + * that can occur when the same device is probe()d repeatedly. + */ + list_for_each_entry(node, &dvbdevfops_list, list_head) { + if (node->fops->owner == adap->module && + node->type == type && + node->template == template) { + dvbdevfops = node->fops; + break; + } + } - if (!dvbdevfops){ - kfree (dvbdev); - mutex_unlock(&dvbdev_register_lock); - return -ENOMEM; + if (dvbdevfops == NULL) { + dvbdevfops = kmemdup(template->fops, sizeof(*dvbdevfops), GFP_KERNEL); + if (!dvbdevfops) { + kfree(dvbdev); + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } + + new_node = kzalloc(sizeof(struct dvbdevfops_node), GFP_KERNEL); + if (!new_node) { + kfree(dvbdevfops); + kfree(dvbdev); + mutex_unlock(&dvbdev_register_lock); + return -ENOMEM; + } + + new_node->fops = dvbdevfops; + new_node->type = type; + new_node->template = template; + list_add_tail (&new_node->list_head, &dvbdevfops_list); } memcpy(dvbdev, template, sizeof(struct dvb_device)); @@ -484,20 +513,20 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, dvbdev->priv = priv; dvbdev->fops = dvbdevfops; init_waitqueue_head (&dvbdev->wait_queue); - dvbdevfops->owner = adap->module; - list_add_tail (&dvbdev->list_head, &adap->device_list); - down_write(&minor_rwsem); #ifdef CONFIG_DVB_DYNAMIC_MINORS for (minor = 0; minor < MAX_DVB_MINORS; minor++) if (dvb_minors[minor] == NULL) break; - if (minor == MAX_DVB_MINORS) { + if (new_node) { + list_del (&new_node->list_head); + kfree(dvbdevfops); + kfree(new_node); + } list_del (&dvbdev->list_head); - kfree(dvbdevfops); kfree(dvbdev); up_write(&minor_rwsem); mutex_unlock(&dvbdev_register_lock); @@ -506,41 +535,46 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, #else minor = nums2minor(adap->num, type, id); #endif - dvbdev->minor = minor; dvb_minors[minor] = dvbdev; up_write(&minor_rwsem); - ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads); if (ret) { pr_err("%s: dvb_register_media_device failed to create the mediagraph\n", __func__); - + if (new_node) { + list_del (&new_node->list_head); + kfree(dvbdevfops); + kfree(new_node); + } dvb_media_device_free(dvbdev); list_del (&dvbdev->list_head); - kfree(dvbdevfops); kfree(dvbdev); mutex_unlock(&dvbdev_register_lock); return ret; } - mutex_unlock(&dvbdev_register_lock); - clsdev = device_create(dvb_class, adap->device, MKDEV(DVB_MAJOR, minor), dvbdev, "dvb%d.%s%d", adap->num, dnames[type], id); if (IS_ERR(clsdev)) { pr_err("%s: failed to create device dvb%d.%s%d (%ld)\n", __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); + if (new_node) { + list_del (&new_node->list_head); + kfree(dvbdevfops); + kfree(new_node); + } dvb_media_device_free(dvbdev); list_del (&dvbdev->list_head); - kfree(dvbdevfops); kfree(dvbdev); return PTR_ERR(clsdev); } + dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n", adap->num, dnames[type], id, minor, minor); + mutex_unlock(&dvbdev_register_lock); return 0; } EXPORT_SYMBOL(dvb_register_device); @@ -569,7 +603,6 @@ void dvb_free_device(struct dvb_device *dvbdev) if (!dvbdev) return; - kfree (dvbdev->fops); kfree (dvbdev); } EXPORT_SYMBOL(dvb_free_device); @@ -1061,9 +1094,17 @@ static int __init init_dvbdev(void) static void __exit exit_dvbdev(void) { + struct dvbdevfops_node *node, *next; + class_destroy(dvb_class); cdev_del(&dvb_device_cdev); unregister_chrdev_region(MKDEV(DVB_MAJOR, 0), MAX_DVB_MINORS); + + list_for_each_entry_safe(node, next, &dvbdevfops_list, list_head) { + list_del (&node->list_head); + kfree(node->fops); + kfree(node); + } } subsys_initcall(init_dvbdev); diff --git a/include/media/dvbdev.h b/include/media/dvbdev.h index 2f6b0861322a..1e5413303705 100644 --- a/include/media/dvbdev.h +++ b/include/media/dvbdev.h @@ -187,6 +187,21 @@ struct dvb_device { void *priv; }; +/** + * struct dvbdevfops_node - fops nodes registered in dvbdevfops_list + * + * @fops: Dynamically allocated fops for ->owner registration + * @type: type of dvb_device + * @template: dvb_device used for registration + * @list_head: list_head for dvbdevfops_list + */ +struct dvbdevfops_node { + struct file_operations *fops; + enum dvb_device_type type; + const struct dvb_device *template; + struct list_head list_head; +}; + /** * dvb_register_adapter - Registers a new DVB adapter * From patchwork Tue Nov 15 13:18:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: V4bel X-Patchwork-Id: 13043682 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EAE90C43217 for ; Tue, 15 Nov 2022 13:19:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232917AbiKONTo (ORCPT ); Tue, 15 Nov 2022 08:19:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50696 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233025AbiKONTn (ORCPT ); Tue, 15 Nov 2022 08:19:43 -0500 Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AA88711C16; Tue, 15 Nov 2022 05:19:42 -0800 (PST) Received: by mail-pj1-x1030.google.com with SMTP id e7-20020a17090a77c700b00216928a3917so16869239pjs.4; Tue, 15 Nov 2022 05:19:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QMXbPuT8/apKqChj/zU2J23s1sl6whOKF1BEx7eXQxI=; b=Bef/p6nhKlBugQnck4zBnZEky3g+7F0dsB7bsfZCxG9NiLOKVrzps0RQTSyn+tWZCO 2P2LimiU9odXGC9p9Ju3Xc2ImB+z2fuXcBuuG/EIQJA0lpjfZKW9cwfnvDkggWhZ92Qs Ytiu5LayryCinoTlXE8Q/YUuPnMIgcw8HyonZUYPdKFlRiAef7sBvyYc5ohglQMdy8qC mjnxG9Ay0+DRBaKSB9ZsLai4cG8Q04xtgTVVw2+qSfrbbttkIobblAKBLquEJSqplZ7D p/qEbDWqHIDCtpRRJLEXseJtA/FUMOlioyfQO3oszJHc4nK7cyiMbSXmOHo4iiU4Dn0t +QCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QMXbPuT8/apKqChj/zU2J23s1sl6whOKF1BEx7eXQxI=; b=PrPVwoKj6iPuaLYW7IBymJNbFdeHz0GijIxD1MRRLOBuPniVPUyihNjI0xPT0YarWT wT+TKOMuHZOkKDtjkABDAVjDdosSh4mbO3Vnbf0GnwI2W9hCzUB14PiP2BUW+qF8GkNQ gUr7M0mcOiwOjV2zX49kTZ4xDFwYyN9Uh0qFAIb/bdk1CLQ9f+tVTMWb2FL716YY2C5F q+A9Ahgkr4nDqco+NnD8H86O7Mmk0ivnvmvbdA6AO+2G9Z6w7JiNI+2nmsnxo5sB/D8e X35Tug8KzLV1Or+B/COhNh+WDBPxZN12nBdc7DvEKAqyXMYHN0sWtTQcedLUcYQZ9zjX +0/g== X-Gm-Message-State: ANoB5pn5DBL9FgIYFsBSrYdR4OvIcxwZHbbmyV4VjnpEXVDyepBJqbXO EaqKPrwYQxd+JTKKfAIfolg= X-Google-Smtp-Source: AA0mqf51UB87woqrbzm1Zfx62dB3veGCWwS7XDUSaHN6MvnCwkLEreoDDtrAq3J8UomMrcZzl7VBfw== X-Received: by 2002:a17:902:f54d:b0:186:6e16:18dd with SMTP id h13-20020a170902f54d00b001866e1618ddmr3939156plf.131.1668518382213; Tue, 15 Nov 2022 05:19:42 -0800 (PST) Received: from localhost.localdomain ([175.124.254.119]) by smtp.gmail.com with ESMTPSA id i24-20020aa796f8000000b00562784609fbsm8670937pfq.209.2022.11.15.05.19.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Nov 2022 05:19:41 -0800 (PST) From: imv4bel@gmail.com To: mchehab@kernel.org Cc: Hyunwoo Kim , kernel@tuxforce.de, linux-media@vger.kernel.org, linux-usb@vger.kernel.org, cai.huoqing@linux.dev, tiwai@suse.de Subject: [PATCH 4/4] media: ttusb-dec: Fix memory leak in ttusb_dec_exit_dvb() Date: Tue, 15 Nov 2022 05:18:22 -0800 Message-Id: <20221115131822.6640-5-imv4bel@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221115131822.6640-1-imv4bel@gmail.com> References: <20221115131822.6640-1-imv4bel@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org From: Hyunwoo Kim Since dvb_frontend_detach() is not called in ttusb_dec_exit_dvb(), which is called when the device is disconnected, dvb_frontend_free() is not finally called. This causes a memory leak just by repeatedly plugging and unplugging the device. Fix this issue by adding dvb_frontend_detach() to ttusb_dec_exit_dvb(). Signed-off-by: Hyunwoo Kim --- drivers/media/usb/ttusb-dec/ttusb_dec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c index 38822cedd93a..c4474d4c44e2 100644 --- a/drivers/media/usb/ttusb-dec/ttusb_dec.c +++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c @@ -1544,8 +1544,7 @@ static void ttusb_dec_exit_dvb(struct ttusb_dec *dec) dvb_dmx_release(&dec->demux); if (dec->fe) { dvb_unregister_frontend(dec->fe); - if (dec->fe->ops.release) - dec->fe->ops.release(dec->fe); + dvb_frontend_detach(dec->fe); } dvb_unregister_adapter(&dec->adapter); }