linux/drivers/media/rc
Duoming Zhou 29b0589a86 media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
When the ene device is detaching, function ene_remove() will
be called. But there is no function to cancel tx_sim_timer
in ene_remove(), the timer handler ene_tx_irqsim() could race
with ene_remove(). As a result, the UAF bugs could happen,
the process is shown below.

    (cleanup routine)          |        (timer routine)
                               | mod_timer(&dev->tx_sim_timer, ..)
ene_remove()                   | (wait a time)
                               | ene_tx_irqsim()
                               |   dev->hw_lock //USE
                               |   ene_tx_sample(dev) //USE

Fix by adding del_timer_sync(&dev->tx_sim_timer) in ene_remove(),
The tx_sim_timer could stop before ene device is deallocated.

What's more, The rc_unregister_device() and del_timer_sync()
should be called first in ene_remove() and the deallocated
functions such as free_irq(), release_region() and so on
should be called behind them. Because the rc_unregister_device()
is well synchronized. Otherwise, race conditions may happen. The
situations that may lead to race conditions are shown below.

Firstly, the rx receiver is disabled with ene_rx_disable()
before rc_unregister_device() in ene_remove(), which means it
can be enabled again if a process opens /dev/lirc0 between
ene_rx_disable() and rc_unregister_device().

Secondly, the irqaction descriptor is freed by free_irq()
before the rc device is unregistered, which means irqaction
descriptor may be accessed again after it is deallocated.

Thirdly, the timer can call ene_tx_sample() that can write
to the io ports, which means the io ports could be accessed
again after they are deallocated by release_region().

Therefore, the rc_unregister_device() and del_timer_sync()
should be called first in ene_remove().

Suggested by: Sean Young <sean@mess.org>

Fixes: 9ea53b74df ("V4L/DVB: STAGING: remove lirc_ene0100 driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
2023-02-08 07:49:22 +01:00
..
img-ir media: rc: img-ir: Make use of the helper function devm_platform_ioremap_resource() 2021-09-30 10:07:50 +02:00
keymaps media: Makefiles: sort entries where it fits 2022-03-14 09:42:59 +01:00
ati_remote.c media: ati-remote: remove private err() macro 2022-07-15 14:54:59 +01:00
bpf-lirc.c bpf: Move rcu lock management out of BPF_PROG_RUN routines 2022-04-19 09:45:47 -07:00
ene_ir.c media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() 2023-02-08 07:49:22 +01:00
ene_ir.h
fintek-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
fintek-cir.h
gpio-ir-recv.c media: rc: gpio-ir-recv: add remove function 2023-02-08 07:49:00 +01:00
gpio-ir-tx.c media: Switch to use dev_err_probe() helper 2022-12-07 17:58:46 +01:00
igorplugusb.c media: igorplugusb: use correct size pass to igorplugusb_probe() 2022-07-15 14:52:20 +01:00
iguanair.c media: iguanair: no superfluous usb_unlink_urb() 2022-06-20 10:30:33 +01:00
imon_raw.c media: imon_raw: respect DMA coherency 2022-06-20 10:30:33 +01:00
imon.c media: imon: fix a race condition in send_packet() 2022-11-25 08:00:45 +00:00
ir_toy.c media: ir_toy: free before error exiting 2022-01-24 01:35:35 +01:00
ir-hix5hd2.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-imon-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-jvc-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-mce_kbd-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-nec-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rc5-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rc6-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rcmm-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-rx51.c media: rc/ir-rx51: Drop empty platform remove function 2023-01-22 08:36:58 +01:00
ir-sanyo-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-sharp-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-sony-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ir-spi.c media: ir-spi: silence no spi_device_id warnings 2022-11-25 08:00:22 +00:00
ir-xmp-decoder.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ite-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ite-cir.h media: rc: ite-cir: replace some an EN DASH 2021-06-04 08:10:42 +02:00
Kconfig media: rc: Drop obsolete dependencies on COMPILE_TEST 2023-01-22 08:36:35 +01:00
lirc_dev.c media: rc: Directly use ida_free() 2022-06-20 10:30:33 +01:00
Makefile media: Makefiles: sort entries where it fits 2022-03-14 09:42:59 +01:00
mceusb.c media: mceusb: set timeout to at least timeout provided 2022-09-24 07:50:42 +02:00
meson-ir-tx.c media: meson-ir-tx: remove superfluous dev_err() 2022-04-24 07:30:34 +01:00
meson-ir.c media: rc: meson-ir: Make use of the helper function devm_platform_ioremap_resource() 2021-09-30 10:07:50 +02:00
mtk-cir.c media: mtk-cir: simplify code 2022-01-24 01:38:32 +01:00
nuvoton-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
nuvoton-cir.h media: rc: harmonize infrared durations to microseconds 2020-09-03 16:18:55 +02:00
pwm-ir-tx.c media: rc: Drop obsolete dependencies on COMPILE_TEST 2023-01-22 08:36:35 +01:00
rc-core-priv.h media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
rc-ir-raw.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
rc-loopback.c media: lirc: report ir receiver overflow 2022-01-28 19:32:50 +01:00
rc-main.c driver core: make struct class.devnode() take a const * 2022-11-24 17:12:27 +01:00
redrat3.c media: redrat3: no unnecessary GFP_ATOMIC 2022-06-20 10:30:33 +01:00
serial_ir.c media: rc: fix timeout handling after switch to microsecond durations 2021-01-11 12:58:44 +01:00
st_rc.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
streamzap.c media: streamzap: avoid unnecessary GFP_ATOMIC 2022-06-20 10:30:33 +01:00
sunxi-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
ttusbir.c media: ttusbir: avoid unnecessary usb_unlink_urb() 2022-06-20 10:30:33 +01:00
winbond-cir.c media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
xbox_remote.c media: xbox_remote: xbox_remote_initialize() cannot fail 2022-06-20 10:30:33 +01:00