linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-04 04:23:35 +02:00

History

Chi Zhiling 68594cec29 media: xc2028: avoid use-after-free in load_firmware_cb() syzkaller reported use-after-free in load_firmware_cb() [1]. The reason is because the module allocated a struct tuner in tuner_probe(), and then the module initialization failed, the struct tuner was released. A worker which created during module initialization accesses this struct tuner later, it caused use-after-free. The process is as follows: task-6504 worker_thread tuner_probe <= alloc dvb_frontend [2] ... request_firmware_nowait <= create a worker ... tuner_remove <= free dvb_frontend ... request_firmware_work_func <= the firmware is ready load_firmware_cb <= but now the dvb_frontend has been freed To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is null, report a warning and just return. [1]: ================================================================== BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0 Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504 Call trace: load_firmware_cb+0x1310/0x17a0 request_firmware_work_func+0x128/0x220 process_one_work+0x770/0x1824 worker_thread+0x488/0xea0 kthread+0x300/0x430 ret_from_fork+0x10/0x20 Allocated by task 6504: kzalloc tuner_probe+0xb0/0x1430 i2c_device_probe+0x92c/0xaf0 really_probe+0x678/0xcd0 driver_probe_device+0x280/0x370 __device_attach_driver+0x220/0x330 bus_for_each_drv+0x134/0x1c0 __device_attach+0x1f4/0x410 device_initial_probe+0x20/0x30 bus_probe_device+0x184/0x200 device_add+0x924/0x12c0 device_register+0x24/0x30 i2c_new_device+0x4e0/0xc44 v4l2_i2c_new_subdev_board+0xbc/0x290 v4l2_i2c_new_subdev+0xc8/0x104 em28xx_v4l2_init+0x1dd0/0x3770 Freed by task 6504: kfree+0x238/0x4e4 tuner_remove+0x144/0x1c0 i2c_device_remove+0xc8/0x290 __device_release_driver+0x314/0x5fc device_release_driver+0x30/0x44 bus_remove_device+0x244/0x490 device_del+0x350/0x900 device_unregister+0x28/0xd0 i2c_unregister_device+0x174/0x1d0 v4l2_device_unregister+0x224/0x380 em28xx_v4l2_init+0x1d90/0x3770 The buggy address belongs to the object at ffff8000d7ca2000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 776 bytes inside of 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800) The buggy address belongs to the page: page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0 flags: 0x7ff800000000100(slab) raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== [2] Actually, it is allocated for struct tuner, and dvb_frontend is inside. Signed-off-by: Chi Zhiling <chizhiling@kylinos.cn> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>		2024-06-21 08:57:09 +02:00
..
e4000_priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1	2019-05-21 11:28:39 +02:00
e4000.c	media: Switch i2c drivers back to use .probe()	2023-05-25 16:21:21 +02:00
e4000.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1	2019-05-21 11:28:39 +02:00
fc001x-common.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
fc0011.c	media: dvb: symbol fixup for dvb_attach()	2023-09-09 08:15:11 +01:00
fc0011.h
fc0012-priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
fc0012.c	media: dvb: symbol fixup for dvb_attach()	2023-09-09 08:15:11 +01:00
fc0012.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
fc0013-priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
fc0013.c	media: dvb: symbol fixup for dvb_attach()	2023-09-09 08:15:11 +01:00
fc0013.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
fc2580_priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1	2019-05-21 11:28:39 +02:00
fc2580.c	media: Switch i2c drivers back to use .probe()	2023-05-25 16:21:21 +02:00
fc2580.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1	2019-05-21 11:28:39 +02:00
it913x.c	media: it913x: Convert to platform remove callback returning void	2023-04-11 16:59:21 +02:00
it913x.h	media: media tuner headers: fix kernel-doc warnings	2021-03-22 10:24:27 +01:00
Kconfig	media: media/*/Kconfig: sort entries	2022-03-18 05:58:35 +01:00
m88rs6000t.c	media: Switch i2c drivers back to use .probe()	2023-05-25 16:21:21 +02:00
m88rs6000t.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
Makefile	media: Makefiles: sort entries where it fits	2022-03-14 09:42:59 +01:00
max2165_priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
max2165.c	media: dvb: symbol fixup for dvb_attach()	2023-09-09 08:15:11 +01:00
max2165.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
mc44s803_priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
mc44s803.c	media: dvb: symbol fixup for dvb_attach()	2023-09-09 08:15:11 +01:00
mc44s803.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
msi001.c	spi: make remove callback a void function	2022-02-09 13:00:45 +00:00
mt20xx.c
mt20xx.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
mt2060_priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
mt2060.c	media: dvb: symbol fixup for dvb_attach()	2023-09-09 08:15:11 +01:00
mt2060.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
mt2063.c	media: fix incorrect kernel doc usages	2021-03-11 11:59:44 +01:00
mt2063.h
mt2131_priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
mt2131.c	media: dvb: symbol fixup for dvb_attach()	2023-09-09 08:15:11 +01:00
mt2131.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
mt2266.c	media: dvb: symbol fixup for dvb_attach()	2023-09-09 08:15:11 +01:00
mt2266.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
mxl301rf.c	media: Switch i2c drivers back to use .probe()	2023-05-25 16:21:21 +02:00
mxl301rf.h
mxl5005s.c	media: dvb: symbol fixup for dvb_attach()	2023-09-09 08:15:11 +01:00
mxl5005s.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
mxl5007t.c	media: tuners: mxl5007t: Removed unnecessary 'return'	2021-09-30 10:07:40 +02:00
mxl5007t.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
qm1d1b0004.c	media: Switch i2c drivers back to use .probe()	2023-05-25 16:21:21 +02:00
qm1d1b0004.h
qm1d1c0042.c	media: Switch i2c drivers back to use .probe()	2023-05-25 16:21:21 +02:00
qm1d1c0042.h
qt1010_priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
qt1010.c	media: dvb: symbol fixup for dvb_attach()	2023-09-09 08:15:11 +01:00
qt1010.h	media: media tuner headers: fix kernel-doc warnings	2021-03-22 10:24:27 +01:00
r820t.c	media: Print chip type explicitly when loading the Rafael Micro r820t module	2021-12-07 11:29:57 +01:00
r820t.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1	2019-05-21 11:28:39 +02:00
si2157_priv.h	media: si2157: add ATV support for si2158	2021-12-14 16:19:05 +01:00
si2157.c	media: Switch i2c drivers back to use .probe()	2023-05-25 16:21:21 +02:00
si2157.h	media: si2157: Add option for not downloading firmware.	2019-10-10 07:07:14 -03:00
tda827x.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
tda827x.h	media: media tuner headers: fix kernel-doc warnings	2021-03-22 10:24:27 +01:00
tda8290.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
tda8290.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
tda9887.c	media: tda9887: add missing MODULE_DESCRIPTION() macro	2024-06-15 10:49:20 +02:00
tda9887.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
tda18212.c	media: Switch i2c drivers back to use .probe()	2023-05-25 16:21:21 +02:00
tda18212.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 1	2019-05-21 11:28:39 +02:00
tda18218_priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
tda18218.c	media: dvb: symbol fixup for dvb_attach()	2023-09-09 08:15:11 +01:00
tda18218.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
tda18250_priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
tda18250.c	media: Switch i2c drivers back to use .probe()	2023-05-25 16:21:21 +02:00
tda18250.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
tda18271-common.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
tda18271-fe.c	media: tda18271: remove redundant assignment to variable bcal	2024-02-16 11:46:32 +01:00
tda18271-maps.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
tda18271-priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
tda18271.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
tea5761.c
tea5761.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
tea5767.c
tea5767.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
tua9001_priv.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
tua9001.c	media: Switch i2c drivers back to use .probe()	2023-05-25 16:21:21 +02:00
tua9001.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
tuner-i2c.h	media: tuners: fix error return code of hybrid_tuner_request_state()	2021-03-22 10:21:03 +01:00
tuner-simple.c	media: tuner-simple: fix regression in simple_set_radio_freq	2020-08-26 18:51:50 +02:00
tuner-simple.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61	2019-05-24 17:36:45 +02:00
tuner-types.c	media: xc2028: rename the driver from tuner-xc2028	2022-03-12 16:59:50 +01:00
xc2028-types.h	media: xc2028: rename the driver from tuner-xc2028	2022-03-12 16:59:50 +01:00
xc2028.c	media: xc2028: avoid use-after-free in load_firmware_cb()	2024-06-21 08:57:09 +02:00
xc2028.h	media: xc2028: rename the driver from tuner-xc2028	2022-03-12 16:59:50 +01:00
xc4000.c	media: xc4000: Fix atomicity violation in xc4000_get_frequency	2024-02-05 12:57:44 +01:00
xc4000.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00
xc5000.c	media: tunner: xc5000: Refactor firmware load	2024-04-15 13:42:38 +02:00
xc5000.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157	2019-05-30 11:26:37 -07:00