talos-obmc-linux - Talos™ II Linux sources for OpenBMC

diff options

author	Shuah Khan <shuahkh@osg.samsung.com>	2016-06-10 14:37:23 -0300
committer	Mauro Carvalho Chehab <mchehab@s-opensource.com>	2016-06-15 17:59:28 -0300
commit	6f0dd24a084a17f9984dd49dffbf7055bf123993 (patch)
tree	e50dbdce2f36d2136d956860f21ece4ff25d20ba /drivers/media/v4l2-core
parent	5b28dde51d0ccc54cee70756e1800d70bed7114a (diff)
download	talos-obmc-linux-6f0dd24a084a17f9984dd49dffbf7055bf123993.tar.gz talos-obmc-linux-6f0dd24a084a17f9984dd49dffbf7055bf123993.zip

[media] media: fix media devnode ioctl/syscall and unregister race

Media devnode open/ioctl could be in progress when media device unregister is initiated. System calls and ioctls check media device registered status at the beginning, however, there is a window where unregister could be in progress without changing the media devnode status to unregistered. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (returns true here) media_device_unregister() (unregister is in progress and devnode isn't unregistered yet) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (returns true here) ... media_devnode_unregister() ... (driver releases the media device memory) media_device_ioctl() (By this point devnode->media_dev does not point to allocated memory. use-after free in in mutex_lock_nested) BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr ffff8801ebe914f0 Fix it by clearing register bit when unregister starts to avoid the race. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (could return true here) media_device_unregister() (clear the register bit, then start unregister.) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (return false here, ioctl returns I/O error, and will not access media device memory) ... media_devnode_unregister() ... (driver releases the media device memory) Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Suggested-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reported-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

Diffstat (limited to 'drivers/media/v4l2-core')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: