git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Zheng Wang <zyytlz.wz@163.com>
	Sat, 18 Mar 2023 08:50:23 +0000 (16:50 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 11 May 2023 14:11:05 +0000 (23:11 +0900)
commit	efccd54c41887e66a03bf7af860ff5eb77c47fcf
tree	351fc9334c96f3705aa6e857217350e1903bb836	tree
parent	ad998076d42b394ca22e41e91c59a6056be6098d	commit \| diff

media: saa7134: fix use after free bug in saa7134_finidev due to race condition

[ Upstream commit 30cf57da176cca80f11df0d9b7f71581fe601389 ]

In saa7134_initdev, it will call saa7134_hwinit1. There are three
function invoking here: saa7134_video_init1, saa7134_ts_init1
and saa7134_vbi_init1.

All of them will init a timer with same function. Take
saa7134_video_init1 as an example. It'll bound &dev->video_q.timeout
with saa7134_buffer_timeout.

In buffer_activate, the timer funtcion is started.

If we remove the module or device which will call saa7134_finidev
to make cleanup, there may be a unfinished work. The
possible sequence is as follows, which will cause a
typical UAF bug.

Fix it by canceling the timer works accordingly before cleanup in
saa7134_finidev.

CPU0                  CPU1

                    |saa7134_buffer_timeout
saa7134_finidev     |
  kfree(dev);       |
                    |
                    | saa7134_buffer_next
                    | //use dev

Fixes: 1e7126b4a86a ("media: saa7134: Convert timers to use timer_setup()")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/media/pci/saa7134/saa7134-ts.c		diff \| blob \| blame \| history
drivers/media/pci/saa7134/saa7134-vbi.c		diff \| blob \| blame \| history
drivers/media/pci/saa7134/saa7134-video.c		diff \| blob \| blame \| history