Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-22 10:56:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
f303810cf1
linux/drivers/media/usb
History
Matthias Schwarzott 910b0797fa media: em28xx: Fix use-after-free when disconnecting 
Fix bug by moving the i2c_unregister_device calls after deregistration
of dvb frontend.

The new style i2c drivers already destroys the frontend object at
i2c_unregister_device time.
When the dvb frontend is unregistered afterwards it leads to this oops:

  [ 6058.866459] BUG: unable to handle kernel NULL pointer dereference at 00000000000001f8
  [ 6058.866578] IP: dvb_frontend_stop+0x30/0xd0 [dvb_core]
  [ 6058.866644] PGD 0
  [ 6058.866646] P4D 0

  [ 6058.866726] Oops: 0000 [#1] SMP
  [ 6058.866768] Modules linked in: rc_pinnacle_pctv_hd(O) em28xx_rc(O) si2157(O) si2168(O) em28xx_dvb(O) em28xx(O) si2165(O) a8293(O) tda10071(O) tea5767(O) tuner(O) cx23885(O) tda18271(O) videobuf2_dvb(O) videobuf2_dma_sg(O) m88ds3103(O) tveeprom(O) cx2341x(O) v4l2_common(O) dvb_core(O) rc_core(O) videobuf2_memops(O) videobuf2_v4l2(O) videobuf2_core(O) videodev(O) media(O) bluetooth ecdh_generic ums_realtek uas rtl8192cu rtl_usb rtl8192c_common rtlwifi usb_storage snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic i2c_mux snd_hda_intel snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core kvm_intel kvm irqbypass [last unloaded: videobuf2_memops]
  [ 6058.867497] CPU: 2 PID: 7349 Comm: kworker/2:0 Tainted: G        W  O    4.13.9-gentoo #1
  [ 6058.867595] Hardware name: MEDION E2050 2391/H81H3-EM2, BIOS H81EM2W08.308 08/25/2014
  [ 6058.867692] Workqueue: usb_hub_wq hub_event
  [ 6058.867746] task: ffff88011a15e040 task.stack: ffffc90003074000
  [ 6058.867825] RIP: 0010:dvb_frontend_stop+0x30/0xd0 [dvb_core]
  [ 6058.867896] RSP: 0018:ffffc90003077b58 EFLAGS: 00010293
  [ 6058.867964] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000010040001f
  [ 6058.868056] RDX: ffff88011a15e040 RSI: ffffea000464e400 RDI: ffff88001cbe3028
  [ 6058.868150] RBP: ffffc90003077b68 R08: ffff880119390380 R09: 000000010040001f
  [ 6058.868241] R10: ffffc90003077b18 R11: 000000000001e200 R12: ffff88001cbe3028
  [ 6058.868330] R13: ffff88001cbe68d0 R14: ffff8800cf734000 R15: ffff8800cf734098
  [ 6058.868419] FS:  0000000000000000(0000) GS:ffff88011fb00000(0000) knlGS:0000000000000000
  [ 6058.868511] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [ 6058.868578] CR2: 00000000000001f8 CR3: 00000001113c5000 CR4: 00000000001406e0
  [ 6058.868662] Call Trace:
  [ 6058.868705]  dvb_unregister_frontend+0x2a/0x80 [dvb_core]
  [ 6058.868774]  em28xx_dvb_fini+0x132/0x220 [em28xx_dvb]
  [ 6058.868840]  em28xx_close_extension+0x34/0x90 [em28xx]
  [ 6058.868902]  em28xx_usb_disconnect+0x4e/0x70 [em28xx]
  [ 6058.868968]  usb_unbind_interface+0x6d/0x260
  [ 6058.869025]  device_release_driver_internal+0x150/0x210
  [ 6058.869094]  device_release_driver+0xd/0x10
  [ 6058.869150]  bus_remove_device+0xe4/0x160
  [ 6058.869204]  device_del+0x1ce/0x2f0
  [ 6058.869253]  usb_disable_device+0x99/0x270
  [ 6058.869306]  usb_disconnect+0x8d/0x260
  [ 6058.869359]  hub_event+0x93d/0x1520
  [ 6058.869408]  ? dequeue_task_fair+0xae5/0xd20
  [ 6058.869467]  process_one_work+0x1d9/0x3e0
  [ 6058.869522]  worker_thread+0x43/0x3e0
  [ 6058.869576]  kthread+0x104/0x140
  [ 6058.869602]  ? trace_event_raw_event_workqueue_work+0x80/0x80
  [ 6058.869640]  ? kthread_create_on_node+0x40/0x40
  [ 6058.869673]  ret_from_fork+0x22/0x30
  [ 6058.869698] Code: 54 49 89 fc 53 48 8b 9f 18 03 00 00 0f 1f 44 00 00 41 83 bc 24 04 05 00 00 02 74 0c 41 c7 84 24 04 05 00 00 01 00 00 00 0f ae f0 <48> 8b bb f8 01 00 00 48 85 ff 74 5c e8 df 40 f0 e0 48 8b 93 f8
  [ 6058.869850] RIP: dvb_frontend_stop+0x30/0xd0 [dvb_core] RSP: ffffc90003077b58
  [ 6058.869894] CR2: 00000000000001f8
  [ 6058.875880] ---[ end trace 717eecf7193b3fc6 ]---

Signed-off-by: Matthias Schwarzott <zzam@gentoo.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-12-11 13:04:50 -05:00
..
airspy media: usb: make video_device const 2017-08-27 08:45:32 -04:00
as102 media updates for v4.15-rc1 2017-11-15 20:30:12 -08:00
au0828 media: usb: add SPDX identifiers to some code I wrote 2017-12-11 07:41:11 -05:00
b2c2 media updates for v4.15-rc1 2017-11-15 20:30:12 -08:00
cpia2 media: cpia2: Fix a couple off by one bugs 2017-12-08 11:12:53 -05:00
cx231xx media: usb: add SPDX identifiers to some code I wrote 2017-12-11 07:41:11 -05:00
dvb-usb media: use ARRAY_SIZE 2017-12-08 10:11:00 -05:00
dvb-usb-v2 media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner 2017-12-11 07:52:47 -05:00
em28xx media: em28xx: Fix use-after-free when disconnecting 2017-12-11 13:04:50 -05:00
go7007 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gspca media: gspca: Convert PDEBUG to gspca_dbg 2017-12-08 10:10:15 -05:00
hackrf media: usb: make video_device const 2017-08-27 08:45:32 -04:00
hdpvr media: hdpvr: Fix an error handling path in hdpvr_probe() 2017-12-08 10:06:19 -05:00
msi2500 media: usb: fix spelling mistake: "synchronuously" -> "synchronously" 2017-11-07 03:47:09 -05:00
pulse8-cec media: pulse8-cec: print time using time64_t 2017-12-08 11:08:22 -05:00
pvrusb2 media updates for v4.15-rc1 2017-11-15 20:30:12 -08:00
pwc media: drivers: remove "/**" from non-kernel-doc comments 2017-11-30 04:19:03 -05:00
rainshadow-cec media: usb: rainshadow-cec: constify serio_device_id 2017-08-20 08:27:29 -04:00
s2255 media: s2255drv: update firmware load 2017-12-08 10:43:59 -05:00
siano media: siano: get rid of documentation warnings 2017-11-27 08:40:36 -05:00
stk1160 media updates for v4.15-rc1 2017-11-15 20:30:12 -08:00
stkwebcam media: stk-webcam: Fix use after free on disconnect 2017-12-08 10:06:46 -05:00
tm6000 media: usb: add SPDX identifiers to some code I wrote 2017-12-11 07:41:11 -05:00
ttusb-budget media: drivers: remove "/**" from non-kernel-doc comments 2017-11-30 04:19:03 -05:00
ttusb-dec media: usb: constify usb_device_id 2017-08-20 08:04:51 -04:00
usbtv media: usbtv: add a new usbid 2017-11-27 14:49:18 -05:00
usbvision media: usbvision: remove unneeded DRIVER_LICENSE #define 2017-12-08 11:13:44 -05:00
uvc media: uvcvideo: Stream error events carry no data 2017-12-08 11:33:09 -05:00
zr364xx media: drivers: Adjust checks for null pointers 2017-09-23 08:20:57 -04:00
Kconfig [media] rainshadow-cec: new RainShadow Tech HDMI CEC driver 2017-04-10 12:42:10 -03:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00