From patchwork Wed Aug 2 16:45:59 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Schwarzott X-Patchwork-Id: 42913 Received: from vger.kernel.org ([209.132.180.67]) by www.linuxtv.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dcwmr-00027m-VY; Wed, 02 Aug 2017 16:46:22 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751554AbdHBQqU (ORCPT + 1 other); Wed, 2 Aug 2017 12:46:20 -0400 Received: from smtp.gentoo.org ([140.211.166.183]:43612 "EHLO smtp.gentoo.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751154AbdHBQqT (ORCPT ); Wed, 2 Aug 2017 12:46:19 -0400 Received: from gauss.fritz.box (unknown [IPv6:2001:a62:244:7301:128f:9e6b:6314:f6a2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: zzam) by smtp.gentoo.org (Postfix) with ESMTPSA id 40E63341866; Wed, 2 Aug 2017 16:46:18 +0000 (UTC) From: Matthias Schwarzott To: linux-media@vger.kernel.org Cc: mchehab@osg.samsung.com, crope@iki.fi, Matthias Schwarzott Subject: [PATCH 1/2] cx23885: Fix use-after-free when unregistering the i2c_client for the dvb demod Date: Wed, 2 Aug 2017 18:45:59 +0200 Message-Id: <20170802164600.19553-2-zzam@gentoo.org> X-Mailer: git-send-email 2.13.3 In-Reply-To: <20170802164600.19553-1-zzam@gentoo.org> References: <20170802164600.19553-1-zzam@gentoo.org> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org Unregistering the i2c_client of the demod driver destroys the frontend object. Calling vb2_dvb_unregister_bus later accesses the frontend (and with the refcount_t) conversion the refcount_t code complains: kernel: ------------[ cut here ]------------ kernel: WARNING: CPU: 0 PID: 7883 at lib/refcount.c:128 refcount_sub_and_test+0x70/0x80 kernel: refcount_t: underflow; use-after-free. kernel: Modules linked in: bluetooth si2165(O) a8293(O) tda10071(O) tea5767(O) tuner(O) cx23885(O-) tda18271(O) videobuf2_dvb(O) videobuf2_dma_sg(O) m88ds3103(O) tveeprom(O) cx2341x(O) v4l2_common(O) dvb_core(O) rc_core(O) videobuf2_memops(O) videobuf2_v4l2(O) ums_realtek videobuf2_core(O) uas videodev(O) media(O) rtl8192cu i2c_mux usb_storage rtl_usb rtl8192c_common rtlwifi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core x86_pkg_temp_thermal kvm_intel kvm irqbypass kernel: CPU: 0 PID: 7883 Comm: rmmod Tainted: G W O 4.11.3-gentoo #3 kernel: Hardware name: MEDION E2050 2391/H81H3-EM2, BIOS H81EM2W08.308 08/25/2014 kernel: Call Trace: kernel: dump_stack+0x4d/0x66 kernel: __warn+0xc6/0xe0 kernel: warn_slowpath_fmt+0x46/0x50 kernel: ? kobject_put+0x2f/0x60 kernel: refcount_sub_and_test+0x70/0x80 kernel: refcount_dec_and_test+0x11/0x20 kernel: dvb_unregister_frontend+0x42/0x60 [dvb_core] kernel: vb2_dvb_dealloc_frontends+0x9e/0x100 [videobuf2_dvb] kernel: vb2_dvb_unregister_bus+0xd/0x20 [videobuf2_dvb] kernel: cx23885_dvb_unregister+0xc3/0x110 [cx23885] kernel: cx23885_dev_unregister+0xea/0x150 [cx23885] kernel: cx23885_finidev+0x4f/0x70 [cx23885] kernel: pci_device_remove+0x34/0xb0 kernel: device_release_driver_internal+0x150/0x200 kernel: driver_detach+0x33/0x70 kernel: bus_remove_driver+0x47/0xa0 kernel: driver_unregister+0x27/0x50 kernel: pci_unregister_driver+0x34/0x90 kernel: cx23885_fini+0x10/0x12 [cx23885] kernel: SyS_delete_module+0x166/0x220 kernel: ? exit_to_usermode_loop+0x7b/0x80 kernel: entry_SYSCALL_64_fastpath+0x17/0x98 kernel: RIP: 0033:0x7f5901680b07 kernel: RSP: 002b:00007ffdf6cdb028 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 kernel: RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f5901680b07 kernel: RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000000001500258 kernel: RBP: 00000000015001f0 R08: 0000000000000000 R09: 1999999999999999 kernel: R10: 0000000000000884 R11: 0000000000000206 R12: 00007ffdf6cda010 kernel: R13: 0000000000000000 R14: 00000000015001f0 R15: 00000000014ff010 kernel: ---[ end trace c3a4659b89086061 ]--- Signed-off-by: Matthias Schwarzott --- drivers/media/pci/cx23885/cx23885-dvb.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/media/pci/cx23885/cx23885-dvb.c b/drivers/media/pci/cx23885/cx23885-dvb.c index 979b66627f60..e795ddeb7fe2 100644 --- a/drivers/media/pci/cx23885/cx23885-dvb.c +++ b/drivers/media/pci/cx23885/cx23885-dvb.c @@ -2637,6 +2637,11 @@ int cx23885_dvb_unregister(struct cx23885_tsport *port) struct vb2_dvb_frontend *fe0; struct i2c_client *client; + fe0 = vb2_dvb_get_frontend(&port->frontends, 1); + + if (fe0 && fe0->dvb.frontend) + vb2_dvb_unregister_bus(&port->frontends); + /* remove I2C client for CI */ client = port->i2c_client_ci; if (client) { @@ -2665,11 +2670,6 @@ int cx23885_dvb_unregister(struct cx23885_tsport *port) i2c_unregister_device(client); } - fe0 = vb2_dvb_get_frontend(&port->frontends, 1); - - if (fe0 && fe0->dvb.frontend) - vb2_dvb_unregister_bus(&port->frontends); - switch (port->dev->board) { case CX23885_BOARD_NETUP_DUAL_DVBS2_CI: netup_ci_exit(port);