diff mbox series

media:exynos4-is: Fix a use after free in isp_video_release

Message ID 20210427023315.4537-1-lyl2019@mail.ustc.edu.cn (mailing list archive)
State Not Applicable
Headers show
Series media:exynos4-is: Fix a use after free in isp_video_release | expand

Commit Message

Lv Yunlong April 27, 2021, 2:33 a.m. UTC 
In isp_video_release, file->private_data is freed via
_vb2_fop_release()->v4l2_fh_release(). But the freed
file->private_data is still used in v4l2_fh_is_singular_file()
->v4l2_fh_is_singular(filp->private_data), which is a use
after free bug.

My patch set file->private_data to NULL after _vb2_fop_release()
to avoid the use after free.

Fixes: 34947b8aebe3f ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
---
 drivers/media/platform/exynos4-is/fimc-isp-video.c | 1 +
 1 file changed, 1 insertion(+)

Comments

kernel test robot April 27, 2021, 5:07 a.m. UTC | #1 
Hi Lv,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on linuxtv-media/master]
[also build test ERROR on v5.12 next-20210426]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Lv-Yunlong/media-exynos4-is-Fix-a-use-after-free-in-isp_video_release/20210427-103518
base:   git://linuxtv.org/media_tree.git master
config: m68k-allmodconfig (attached as .config)
compiler: m68k-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/be22db53410320e33e9e471a8a15f14904b5e801
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Lv-Yunlong/media-exynos4-is-Fix-a-use-after-free-in-isp_video_release/20210427-103518
        git checkout be22db53410320e33e9e471a8a15f14904b5e801
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross W=1 ARCH=m68k 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   In file included from include/linux/build_bug.h:5,
                    from include/linux/bits.h:22,
                    from include/linux/bitops.h:6,
                    from drivers/media/platform/exynos4-is/fimc-isp-video.c:14:
   include/linux/scatterlist.h: In function 'sg_set_buf':
   arch/m68k/include/asm/page_mm.h:174:49: warning: ordered comparison of pointer with null pointer [-Wextra]
     174 | #define virt_addr_valid(kaddr) ((void *)(kaddr) >= (void *)PAGE_OFFSET && (void *)(kaddr) < high_memory)
         |                                                 ^~
   include/linux/compiler.h:78:42: note: in definition of macro 'unlikely'
      78 | # define unlikely(x) __builtin_expect(!!(x), 0)
         |                                          ^
   include/linux/scatterlist.h:137:2: note: in expansion of macro 'BUG_ON'
     137 |  BUG_ON(!virt_addr_valid(buf));
         |  ^~~~~~
   include/linux/scatterlist.h:137:10: note: in expansion of macro 'virt_addr_valid'
     137 |  BUG_ON(!virt_addr_valid(buf));
         |          ^~~~~~~~~~~~~~~
   drivers/media/platform/exynos4-is/fimc-isp-video.c: In function 'isp_video_release':
>> drivers/media/platform/exynos4-is/fimc-isp-video.c:318:2: error: 'filp' undeclared (first use in this function); did you mean 'file'?
     318 |  filp->private_data = NULL;
         |  ^~~~
         |  file
   drivers/media/platform/exynos4-is/fimc-isp-video.c:318:2: note: each undeclared identifier is reported only once for each function it appears in


vim +318 drivers/media/platform/exynos4-is/fimc-isp-video.c

   302	
   303	static int isp_video_release(struct file *file)
   304	{
   305		struct fimc_isp *isp = video_drvdata(file);
   306		struct fimc_is_video *ivc = &isp->video_capture;
   307		struct media_entity *entity = &ivc->ve.vdev.entity;
   308		struct media_device *mdev = entity->graph_obj.mdev;
   309	
   310		mutex_lock(&isp->video_lock);
   311	
   312		if (v4l2_fh_is_singular_file(file) && ivc->streaming) {
   313			media_pipeline_stop(entity);
   314			ivc->streaming = 0;
   315		}
   316	
   317		_vb2_fop_release(file, NULL);
 > 318		filp->private_data = NULL;
   319	
   320		if (v4l2_fh_is_singular_file(file)) {
   321			fimc_pipeline_call(&ivc->ve, close);
   322	
   323			mutex_lock(&mdev->graph_mutex);
   324			entity->use_count--;
   325			mutex_unlock(&mdev->graph_mutex);
   326		}
   327	
   328		pm_runtime_put(&isp->pdev->dev);
   329		mutex_unlock(&isp->video_lock);
   330	
   331		return 0;
   332	}
   333	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff mbox series

Patch

diff --git a/drivers/media/platform/exynos4-is/fimc-isp-video.c b/drivers/media/platform/exynos4-is/fimc-isp-video.c
index 612b9872afc8..f414493258ad 100644
--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c
+++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c
@@ -315,6 +315,7 @@  static int isp_video_release(struct file *file)
 	}
 
 	_vb2_fop_release(file, NULL);
+	filp->private_data = NULL;
 
 	if (v4l2_fh_is_singular_file(file)) {
 		fimc_pipeline_call(&ivc->ve, close);