linux/drivers/media
Max Kellermann da677fe143 [media] dvb-core/en50221: use kref to manage struct dvb_ca_private
Don't free the object until the file handle has been closed.  Fixes
use-after-free bug which occurs when I disconnect my DVB-S received
while VDR is running.

This is a crash dump of such a use-after-free:

    general protection fault: 0000 [#1] SMP
    CPU: 0 PID: 2541 Comm: CI adapter on d Not tainted 4.7.0-rc1-hosting+ #49
    Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
    task: ffff880027d7ce00 ti: ffff88003d8f8000 task.ti: ffff88003d8f8000
    RIP: 0010:[<ffffffff812f3d1f>]  [<ffffffff812f3d1f>] dvb_ca_en50221_io_read_condition.isra.7+0x6f/0x150
    RSP: 0018:ffff88003d8fba98  EFLAGS: 00010206
    RAX: 0000000059534255 RBX: 000000753d470f90 RCX: ffff88003c74d181
    RDX: 00000001bea04ba9 RSI: ffff88003d8fbaf4 RDI: 3a3030a56d763fc0
    RBP: ffff88003d8fbae0 R08: ffff88003c74d180 R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000000 R12: ffff88003c480e00
    R13: 00000000ffffffff R14: 0000000059534255 R15: 0000000000000000
    FS:  00007fb4209b4700(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f06445f4078 CR3: 000000003c55b000 CR4: 00000000000006b0
    Stack:
     ffff88003d8fbaf4 000000003c2170c0 0000000000004000 0000000000000000
     ffff88003c480e00 ffff88003d8fbc80 ffff88003c74d180 ffff88003d8fbb8c
     0000000000000000 ffff88003d8fbb10 ffffffff812f3e37 ffff88003d8fbb00
    Call Trace:
     [<ffffffff812f3e37>] dvb_ca_en50221_io_poll+0x37/0xa0
     [<ffffffff8113109b>] do_sys_poll+0x2db/0x520

This is a backtrace of the kernel attempting to lock a freed mutex:

    #0  0xffffffff81083d40 in rep_nop () at ./arch/x86/include/asm/processor.h:569
    #1  cpu_relax () at ./arch/x86/include/asm/processor.h:574
    #2  virt_spin_lock (lock=<optimized out>) at ./arch/x86/include/asm/qspinlock.h:57
    #3  native_queued_spin_lock_slowpath (lock=0xffff88003c480e90, val=761492029) at kernel/locking/qspinlock.c:304
    #4  0xffffffff810d1a06 in pv_queued_spin_lock_slowpath (val=<optimized out>, lock=<optimized out>) at ./arch/x86/include/asm/paravirt.h:669
    #5  queued_spin_lock_slowpath (val=<optimized out>, lock=<optimized out>) at ./arch/x86/include/asm/qspinlock.h:28
    #6  queued_spin_lock (lock=<optimized out>) at include/asm-generic/qspinlock.h:107
    #7  __mutex_lock_common (use_ww_ctx=<optimized out>, ww_ctx=<optimized out>, ip=<optimized out>, nest_lock=<optimized out>, subclass=<optimized out>,
        state=<optimized out>, lock=<optimized out>) at kernel/locking/mutex.c:526
    #8  mutex_lock_interruptible_nested (lock=0xffff88003c480e88, subclass=<optimized out>) at kernel/locking/mutex.c:647
    #9  0xffffffff812f49fe in dvb_ca_en50221_io_do_ioctl (file=<optimized out>, cmd=761492029, parg=0x1 <irq_stack_union+1>)
        at drivers/media/dvb-core/dvb_ca_en50221.c:1210
    #10 0xffffffff812ee660 in dvb_usercopy (file=<optimized out>, cmd=761492029, arg=<optimized out>, func=<optimized out>) at drivers/media/dvb-core/dvbdev.c:883
    #11 0xffffffff812f3410 in dvb_ca_en50221_io_ioctl (file=<optimized out>, cmd=<optimized out>, arg=<optimized out>) at drivers/media/dvb-core/dvb_ca_en50221.c:1284
    #12 0xffffffff8112eddd in vfs_ioctl (arg=<optimized out>, cmd=<optimized out>, filp=<optimized out>) at fs/ioctl.c:43
    #13 do_vfs_ioctl (filp=0xffff88003c480e90, fd=<optimized out>, cmd=<optimized out>, arg=<optimized out>) at fs/ioctl.c:674
    #14 0xffffffff8112f30c in SYSC_ioctl (arg=<optimized out>, cmd=<optimized out>, fd=<optimized out>) at fs/ioctl.c:689
    #15 SyS_ioctl (fd=6, cmd=2148298626, arg=140734533693696) at fs/ioctl.c:680
    #16 0xffffffff8103feb2 in entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:207

Signed-off-by: Max Kellermann <max@duempel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2016-07-13 15:45:29 -03:00
..
common [media] v4l2-tpg: ignore V4L2_DV_RGB_RANGE setting for YUV formats 2016-07-08 16:16:52 -03:00
dvb-core [media] dvb-core/en50221: use kref to manage struct dvb_ca_private 2016-07-13 15:45:29 -03:00
dvb-frontends [media] ascot2e: Fix I2C message size check 2016-07-13 11:56:22 -03:00
firewire [media] dvb: modify core to implement interfaces/entities at MC new gen 2016-01-11 12:18:52 -02:00
i2c [media] adv7511: the h/vsync polarities were always positive 2016-07-12 13:37:41 -03:00
mmc [media] siano: register media controller earlier 2015-02-26 09:10:39 -03:00
pci [media] tw686x: Support VIDIOC_{S,G}_PARM ioctls 2016-07-13 13:34:52 -03:00
platform [media] vsp1: clarify FCP dependency 2016-07-13 13:46:34 -03:00
radio [media] radio-maxiradio: fix memory leak when device is removed 2016-06-28 08:05:47 -03:00
rc [media] lirc_dev: use LIRC_CAN_REC() define to check if the device can receive 2016-07-13 15:29:03 -03:00
tuners [media] it913x: do not allow driver unbind 2016-07-08 17:01:23 -03:00
usb [media] dvb-usb: silence an uninitialized variable warning 2016-07-13 13:13:22 -03:00
v4l2-core [media] v4l2-ioctl: zero the v4l2_bt_timings reserved field 2016-07-12 13:37:20 -03:00
cec-edid.c [media] cec-edid: add module for EDID CEC helper functions 2016-06-28 09:45:51 -03:00
Kconfig [media] cec: fix Kconfig dependency problems 2016-07-08 18:34:00 -03:00
Makefile [media] cec: fix Kconfig dependency problems 2016-07-08 18:34:00 -03:00
media-device.c [media] media: fix media devnode ioctl/syscall and unregister race 2016-06-15 17:59:28 -03:00
media-devnode.c [media] media: fix media devnode ioctl/syscall and unregister race 2016-06-15 17:59:28 -03:00
media-entity.c [media] media: change pipeline validation return error 2016-04-29 08:07:17 -03:00