From patchwork Wed Aug 23 16:09:59 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Scheller X-Patchwork-Id: 9917747 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 30CA660327 for ; Wed, 23 Aug 2017 16:10:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F06F28909 for ; Wed, 23 Aug 2017 16:10:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 13B65289E0; Wed, 23 Aug 2017 16:10:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4060928909 for ; Wed, 23 Aug 2017 16:10:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932202AbdHWQKK (ORCPT ); Wed, 23 Aug 2017 12:10:10 -0400 Received: from mail-wm0-f65.google.com ([74.125.82.65]:38239 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754136AbdHWQKI (ORCPT ); Wed, 23 Aug 2017 12:10:08 -0400 Received: by mail-wm0-f65.google.com with SMTP id l19so547376wmi.5 for ; Wed, 23 Aug 2017 09:10:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=xgAYzeoMZ5RjA8SUvp6fnHDeVmwvnd/vLVlUrClRbY4=; b=Tct8Fr++4BfJkUE8flUR2Th5k3OosHi/KBZtgenVDjqGB9uo8IK3HexJGgkNYpzt8v H1jpqRi30iOHqQ3Tf9QDmf+N3UJ4jg0XqGnrxqPqWoF/xaI0AOGBcmrgscvkwhCPrez+ Uj4+SjzIH3OilywQeeBZCy+dejF8k9Zyb2ywSsGWNEb70f+IJNZFd3qsTjxr1VqvrOAV O6s+LvuJWHc2MQKC6V4t6cluH/Gf+M/CziouOUPW00JDKVfrmqw6dvxz2idyJJI8O0RS QAOAClu0UDvMVRmFO25Cjk21XCo0L2D2OLHnaOhfNeBD+o2z3ctHenowmgdwFoXG1gv+ Lu3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=xgAYzeoMZ5RjA8SUvp6fnHDeVmwvnd/vLVlUrClRbY4=; b=PAIuVo/TyOcfyP4IzSvqTZkbgf9EpsNfI7jdoHfLTPQHIuQ6XtYVvDoYcG8W7IPXBk BQDlK8lF35jZrC6r8hYEaukBO0v6Cs++wgJSZnxrpagqP6sH6mX0l0tjT1rZQeJUIhGd hzxvHRAs4F81MJ+tiAQU81Llhczn1mPNsMDKseNU8nZX2TmJOQx0Y63w1+jxF4s+5gik wOKb1ShO0QXhMr9ySYesqlKIqHQx67Q1UShUmlizKS/saGnmaRuBe/ROzMosvNZLhuv2 0PeR0GQy1hRb8V12gNO9SUBCp8LoDQNEONHCWtuV0RKUBwkSXZLGh/Sr5DJzsu6bd5um J7Ng== X-Gm-Message-State: AHYfb5i0Cp3h6gxjXc3dyqXK5/Tah63lAsIkagZ3+glAr8p7F/O1oLfb ymMLom7BWtZb3lAL X-Received: by 10.28.100.213 with SMTP id y204mr18487wmb.60.1503504606957; Wed, 23 Aug 2017 09:10:06 -0700 (PDT) Received: from dvbdev.wuest.de (ip-84-118-193-88.unity-media.net. [84.118.193.88]) by smtp.gmail.com with ESMTPSA id b13sm2772356wmi.7.2017.08.23.09.10.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 23 Aug 2017 09:10:06 -0700 (PDT) From: Daniel Scheller To: linux-media@vger.kernel.org, mchehab@kernel.org, mchehab@s-opensource.com Cc: jasmin@anw.at, Matthias Schwarzott Subject: [PATCH 2/5] [media] ddbridge: fix teardown/deregistration order in ddb_input_detach() Date: Wed, 23 Aug 2017 18:09:59 +0200 Message-Id: <20170823161002.25459-3-d.scheller.oss@gmail.com> X-Mailer: git-send-email 2.13.0 In-Reply-To: <20170823161002.25459-1-d.scheller.oss@gmail.com> References: <20170823161002.25459-1-d.scheller.oss@gmail.com> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Daniel Scheller Brought to attention by Matthias Schwarzott by fixing possible use-after-free faults in some demod drivers: In ddb_input_detach(), the i2c_client is unregistered and removed before dvb frontends are unregistered and detached. While no use-after-free issue was observed so far, there is another issue with this: dvb->attached keeps track of the state of the input/output registration, and the i2c_client unregistration takes place only if everything was successful (dvb->attached == 0x31). If for some reason an error occurred during the frontend setup, that value stays at 0x20. In the following error handling and cleanup, ddb_input_detach() will skip down to that state, leaving the i2c_client registered, causing refcount issues. Fix this by moving the i2c_client deregistration down to case 0x20. Cc: Matthias Schwarzott Signed-off-by: Daniel Scheller --- drivers/media/pci/ddbridge/ddbridge-core.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/media/pci/ddbridge/ddbridge-core.c b/drivers/media/pci/ddbridge/ddbridge-core.c index 2464bde1c432..281b6739b0c1 100644 --- a/drivers/media/pci/ddbridge/ddbridge-core.c +++ b/drivers/media/pci/ddbridge/ddbridge-core.c @@ -1255,11 +1255,6 @@ static void dvb_input_detach(struct ddb_input *input) switch (dvb->attached) { case 0x31: - client = dvb->i2c_client[0]; - if (client) { - module_put(client->dev.driver->owner); - i2c_unregister_device(client); - } if (dvb->fe2) dvb_unregister_frontend(dvb->fe2); if (dvb->fe) @@ -1273,6 +1268,12 @@ static void dvb_input_detach(struct ddb_input *input) dvb->fe = dvb->fe2 = NULL; /* fallthrough */ case 0x20: + client = dvb->i2c_client[0]; + if (client) { + module_put(client->dev.driver->owner); + i2c_unregister_device(client); + } + dvb_net_release(&dvb->dvbnet); /* fallthrough */ case 0x12: