From patchwork Fri Dec 15 16:43:37 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Scheller X-Patchwork-Id: 10115503 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1DD2E60231 for ; Fri, 15 Dec 2017 16:43:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1091329F4A for ; Fri, 15 Dec 2017 16:43:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 04D3829F54; Fri, 15 Dec 2017 16:43:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2927D29F4A for ; Fri, 15 Dec 2017 16:43:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756728AbdLOQno (ORCPT ); Fri, 15 Dec 2017 11:43:44 -0500 Received: from mail-wm0-f68.google.com ([74.125.82.68]:33827 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756697AbdLOQnn (ORCPT ); Fri, 15 Dec 2017 11:43:43 -0500 Received: by mail-wm0-f68.google.com with SMTP id y82so31338665wmg.1 for ; Fri, 15 Dec 2017 08:43:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=Gtl10JrFb69kw7ySthu9XW4bWR+OE65Fu1nPM+JrQhA=; b=R5tE/iDhC8Ep0xbD0W1kmB7YMQvAFUW9lm2gs1kLgBb68vY8/LGwzhbnlSPyISCZl4 DEfAC1QhxOC9gN0MwyV76zULQNkFEsv02VMUOThjqyIRhYQlOgYFAmZfXVy8PBdBqCcq 6JfrFyZPs1LPvrhrw2u2MYdeJFVAbs8VdGeMhOERyC/Fx85ieYlxKlMzZUrU232ORcep 8KWXAl1hDZp5CF1AkxhpZT5IVEd8XputK+6xdNFUMOWL+ZJF9H9pk4K0qtB2VQ30vAVq aqTAedfKH0h9F4VuorHGljLJus/nbSYomZRoz9bCJosCQtI/EdCKOAsQFJtUtAzmRXQE VTaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=Gtl10JrFb69kw7ySthu9XW4bWR+OE65Fu1nPM+JrQhA=; b=EyjD3M8A9cgNY9Qjpjcq3J0M+jPNZx/8xTYJqo2EhJuu6a8WfhJxkQPIu0VvK5LBDV eyTltetCaoJK6jmIEea2K5hPTaz0Bzv+ytRN+NmENv2gf59E3JaE+SXjaXvFXXs1wXYX rBENvenxToxvKvxrertQu1FQ3hGhVo6Y1M3zMSm817tLuZMn7JGncKku7lrx4rCUk+Y8 R4HievLIXENNkjzrX5w6EH7Q8Vk9wQ3Wr3UTMEwUwdE1N94OTsi/3AbqejB1kwLUghb2 1vf0WeWCN1Ij3vTBnrUuhnI4L2frvZQwHS6cr4hIsOqCNHmxEL8V9oyo+8ZuYU1TAzlH 1Diw== X-Gm-Message-State: AKGB3mKqaG/utaX4m1sziM+suE3JnA8e18sQE+HU8JBwWYOXZgyNW93w us5Fg+gFNmUO8/RS9YEcmSCqSA== X-Google-Smtp-Source: ACJfBosdxef4ZjudDcGcPusCq1w1kqxgJ4gs3H8uf5KkO3RV6HDX1X2yLyZ8vUZeAG2llfgxTvL3vQ== X-Received: by 10.28.116.19 with SMTP id p19mr4231887wmc.152.1513356221693; Fri, 15 Dec 2017 08:43:41 -0800 (PST) Received: from dvbdev.wuest.de (ip-84-118-193-200.unity-media.net. [84.118.193.200]) by smtp.gmail.com with ESMTPSA id v23sm2964467wmh.30.2017.12.15.08.43.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Dec 2017 08:43:40 -0800 (PST) From: Daniel Scheller To: linux-media@vger.kernel.org, mchehab@kernel.org, mchehab@s-opensource.com, crope@iki.fi Subject: [PATCH] [media] tda18212: fix use-after-free in tda18212_remove() Date: Fri, 15 Dec 2017 17:43:37 +0100 Message-Id: <20171215164337.3236-1-d.scheller.oss@gmail.com> X-Mailer: git-send-email 2.13.6 Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Daniel Scheller When the driver gets unloaded via it's tda18212_remove() function, all frontend structures may already have been freed as controlling/bridge drivers already used dvb_frontend_detach() in their teardown process. Since __dvb_frontend_free now releases and clears all structures, the memset and the NULL assignment in tda18212_remove() leads to this KASAN report (invoked via ddbridge, which does dvb_frontend_detach() first, followed by i2c_unregister_device()): [ 154.028353] ================================================================== [ 154.028396] BUG: KASAN: use-after-free in tda18212_remove+0x5c/0xb0 [tda18212] [ 154.028415] Write of size 288 at addr ffff880108b554d8 by task rmmod/285 [ 154.028442] CPU: 0 PID: 285 Comm: rmmod Tainted: G C 4.15.0-rc1-13682-g1363f325bc44 #1 [ 154.028444] Hardware name: Gigabyte Technology Co., Ltd. P35-DS3/P35-DS3, BIOS F3 06/11/2007 [ 154.028445] Call Trace: [ 154.028452] dump_stack+0x46/0x61 [ 154.028458] print_address_description+0x79/0x270 [ 154.028462] ? tda18212_remove+0x5c/0xb0 [tda18212] [ 154.028465] kasan_report+0x229/0x340 [ 154.028468] memset+0x1f/0x40 [ 154.028472] tda18212_remove+0x5c/0xb0 [tda18212] [ 154.028476] i2c_device_remove+0x97/0xe0 [ 154.028481] device_release_driver_internal+0x267/0x510 [ 154.028484] bus_remove_device+0x296/0x470 [ 154.028486] device_del+0x35c/0x890 [ 154.028489] ? __device_links_no_driver+0x1c0/0x1c0 [ 154.028493] ? cxd2841er_get_algo+0x10/0x10 [cxd2841er] [ 154.028497] ? cxd2841er_get_algo+0x10/0x10 [cxd2841er] [ 154.028500] ? __module_text_address+0xe/0x140 [ 154.028503] device_unregister+0x9/0x20 [ 154.028509] dvb_input_detach.isra.24+0x286/0x480 [ddbridge] [ 154.028514] ddb_ports_detach+0x176/0x630 [ddbridge] [ 154.028519] ddb_remove+0x3c/0xb0 [ddbridge] [ 154.028523] pci_device_remove+0x93/0x1d0 [ 154.028526] device_release_driver_internal+0x267/0x510 [ 154.028529] driver_detach+0xb9/0x1b0 [ 154.028532] bus_remove_driver+0xd0/0x1f0 [ 154.028536] pci_unregister_driver+0x25/0x210 [ 154.028541] module_exit_ddbridge+0xc/0x45 [ddbridge] [ 154.028544] SyS_delete_module+0x314/0x440 [ 154.028546] ? free_module+0x5b0/0x5b0 [ 154.028550] ? exit_to_usermode_loop+0xa9/0xc0 [ 154.028552] ? free_module+0x5b0/0x5b0 [ 154.028554] do_syscall_64+0x179/0x4c0 [ 154.028557] ? do_page_fault+0x1b/0x60 [ 154.028560] entry_SYSCALL64_slow_path+0x25/0x25 [ 154.028563] RIP: 0033:0x7f6c40930de7 [ 154.028565] RSP: 002b:00007ffc060d6ab8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 154.028569] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6c40930de7 [ 154.028571] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000000002053268 [ 154.028573] RBP: 0000000002053200 R08: 0000000000000000 R09: 1999999999999999 [ 154.028574] R10: 0000000000000891 R11: 0000000000000206 R12: 00007ffc060d74ef [ 154.028576] R13: 0000000000000000 R14: 0000000002053200 R15: 0000000002052010 [ 154.028588] Allocated by task 164: [ 154.028603] cxd2841er_attach+0xc3/0x7f0 [cxd2841er] [ 154.028608] demod_attach_cxd28xx+0x14c/0x3f0 [ddbridge] [ 154.028612] dvb_input_attach+0x671/0x1e20 [ddbridge] [ 154.028616] ddb_ports_attach+0x453/0xd00 [ddbridge] [ 154.028620] ddb_init+0x4b3/0xa30 [ddbridge] [ 154.028624] ddb_probe+0xa51/0xfe0 [ddbridge] [ 154.028627] pci_device_probe+0x279/0x480 [ 154.028630] driver_probe_device+0x46f/0x7a0 [ 154.028632] __driver_attach+0x133/0x170 [ 154.028634] bus_for_each_dev+0x10a/0x190 [ 154.028637] bus_add_driver+0x2a3/0x5a0 [ 154.028639] driver_register+0x182/0x3a0 [ 154.028641] 0xffffffffa016808f [ 154.028643] do_one_initcall+0x77/0x1d0 [ 154.028646] do_init_module+0x1c2/0x548 [ 154.028648] load_module+0x5e61/0x8df0 [ 154.028650] SyS_finit_module+0x142/0x150 [ 154.028652] do_syscall_64+0x179/0x4c0 [ 154.028654] return_from_SYSCALL_64+0x0/0x65 [ 154.028664] Freed by task 285: [ 154.028676] kfree+0x6c/0xa0 [ 154.028682] __dvb_frontend_free+0x81/0xb0 [dvb_core] [ 154.028687] dvb_input_detach.isra.24+0x17c/0x480 [ddbridge] [ 154.028691] ddb_ports_detach+0x176/0x630 [ddbridge] [ 154.028695] ddb_remove+0x3c/0xb0 [ddbridge] [ 154.028697] pci_device_remove+0x93/0x1d0 [ 154.028700] device_release_driver_internal+0x267/0x510 [ 154.028702] driver_detach+0xb9/0x1b0 [ 154.028705] bus_remove_driver+0xd0/0x1f0 [ 154.028707] pci_unregister_driver+0x25/0x210 [ 154.028711] module_exit_ddbridge+0xc/0x45 [ddbridge] [ 154.028714] SyS_delete_module+0x314/0x440 [ 154.028716] do_syscall_64+0x179/0x4c0 [ 154.028718] return_from_SYSCALL_64+0x0/0x65 [ 154.028729] The buggy address belongs to the object at ffff880108b55340 which belongs to the cache kmalloc-2048 of size 2048 [ 154.028755] The buggy address is located 408 bytes inside of 2048-byte region [ffff880108b55340, ffff880108b55b40) [ 154.028778] The buggy address belongs to the page: [ 154.028792] page:ffffea00039e7a60 count:1 mapcount:0 mapping:ffff880108b54240 index:0x0 compound_mapcount: 0 [ 154.028814] flags: 0x8000000000008100(slab|head) [ 154.028830] raw: 8000000000008100 ffff880108b54240 0000000000000000 0000000100000003 [ 154.028848] raw: ffffea00039e7310 ffffea00039e7bd0 ffff88010b000800 [ 154.028862] page dumped because: kasan: bad access detected [ 154.028883] Memory state around the buggy address: [ 154.028896] ffff880108b55380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 154.028913] ffff880108b55400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 154.028929] >ffff880108b55480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 154.028945] ^ [ 154.028960] ffff880108b55500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 154.028976] ffff880108b55580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 154.028991] ================================================================== [ 154.029006] Disabling lock debugging due to kernel taint Fix this by removing the memcpy and the NULL assign. Cc: Antti Palosaari Signed-off-by: Daniel Scheller --- drivers/media/tuners/tda18212.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/drivers/media/tuners/tda18212.c b/drivers/media/tuners/tda18212.c index 7b8068354fea..ebccf8a8729d 100644 --- a/drivers/media/tuners/tda18212.c +++ b/drivers/media/tuners/tda18212.c @@ -258,12 +258,7 @@ static int tda18212_probe(struct i2c_client *client, static int tda18212_remove(struct i2c_client *client) { struct tda18212_dev *dev = i2c_get_clientdata(client); - struct dvb_frontend *fe = dev->cfg.fe; - dev_dbg(&client->dev, "\n"); - - memset(&fe->ops.tuner_ops, 0, sizeof(struct dvb_tuner_ops)); - fe->tuner_priv = NULL; kfree(dev); return 0;