media: saa7134: fix use after free bug in saa7134_finidev due to race condition
stable inclusion from stable-v5.10.180 commit 7dac96e9cc985328ec1fae92f0c245f559dc0e11 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7ERIV CVE: CVE-2023-3327 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7dac96e9cc985328ec1fae92f0c245f559dc0e11 -------------------------------- [ Upstream commit 30cf57da ] In saa7134_initdev, it will call saa7134_hwinit1. There are three function invoking here: saa7134_video_init1, saa7134_ts_init1 and saa7134_vbi_init1. All of them will init a timer with same function. Take saa7134_video_init1 as an example. It'll bound &dev->video_q.timeout with saa7134_buffer_timeout. In buffer_activate, the timer funtcion is started. If we remove the module or device which will call saa7134_finidev to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the timer works accordingly before cleanup in saa7134_finidev. CPU0 CPU1 |saa7134_buffer_timeout saa7134_finidev | kfree(dev); | | | saa7134_buffer_next | //use dev Fixes: 1e7126b4 ("media: saa7134: Convert timers to use timer_setup()") Signed-off-by: NZheng Wang <zyytlz.wz@163.com> Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NLonglong Xia <xialonglong1@huawei.com>
Showing
想要评论请 注册 或 登录