media: saa7134: fix use after free bug in saa7134_finidev due to race condition

[ Upstream commit 30cf57da176cca80f11df0d9b7f71581fe601389 ] In saa7134_initdev, it will call saa7134_hwinit1. There are three function invoking here: saa7134_video_init1, saa7134_ts_init1 and saa7134_vbi_init1. All of them will init a timer with same function. Take saa7134_video_init1 as an example. It'll bound &dev->video_q.timeout with saa7134_buffer_timeout. In buffer_activate, the timer funtcion is started. If we remove the module or device which will call saa7134_finidev to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the timer works accordingly before cleanup in saa7134_finidev. CPU0 CPU1 |saa7134_buffer_timeout saa7134_finidev | kfree(dev); | | | saa7134_buffer_next | //use dev Fixes: 1e7126b4a86a ("media: saa7134: Convert timers to use timer_setup()") Signed-off-by: Zheng Wang <zyytlz.wz@163.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Zheng Wang <zyytlz.wz@163.com> 2023-03-18 16:50:23 +0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-05-17 11:35:38 +0200
commit: a4b6ab360f56ccdcde29eab29f493d8c464c3ffb (patch)
tree: 073b1e82b6788bf83a92058de1348f7ecffab518 /drivers
parent: cd1583caed7ea879ecb638ed876960e41363b7b6 (diff)
download: linux-stable-a4b6ab360f56ccdcde29eab29f493d8c464c3ffb.tar.gz
linux-stable-a4b6ab360f56ccdcde29eab29f493d8c464c3ffb.tar.bz2
linux-stable-a4b6ab360f56ccdcde29eab29f493d8c464c3ffb.zip
3 files changed, 3 insertions, 0 deletions
diff --git a/drivers/media/pci/saa7134/saa7134-ts.c b/drivers/media/pci/saa7134/saa7134-ts.c
index 6a5053126237..437dbe5e75e2 100644
--- a/drivers/media/pci/saa7134/saa7134-ts.c
+++ b/drivers/media/pci/saa7134/saa7134-ts.c
@@ -300,6 +300,7 @@ int saa7134_ts_start(struct saa7134_dev *dev)
 
 int saa7134_ts_fini(struct saa7134_dev *dev)
 {
+	del_timer_sync(&dev->ts_q.timeout);
 	saa7134_pgtable_free(dev->pci, &dev->ts_q.pt);
 	return 0;
 }
diff --git a/drivers/media/pci/saa7134/saa7134-vbi.c b/drivers/media/pci/saa7134/saa7134-vbi.c
index 3f0b0933eed6..3e773690468b 100644
--- a/drivers/media/pci/saa7134/saa7134-vbi.c
+++ b/drivers/media/pci/saa7134/saa7134-vbi.c
@@ -185,6 +185,7 @@ int saa7134_vbi_init1(struct saa7134_dev *dev)
 int saa7134_vbi_fini(struct saa7134_dev *dev)
 {
 	/* nothing */
+	del_timer_sync(&dev->vbi_q.timeout);
 	return 0;
 }
 
diff --git a/drivers/media/pci/saa7134/saa7134-video.c b/drivers/media/pci/saa7134/saa7134-video.c
index e454a288229b..ea26c8c57494 100644
--- a/drivers/media/pci/saa7134/saa7134-video.c
+++ b/drivers/media/pci/saa7134/saa7134-video.c
@@ -2154,6 +2154,7 @@ int saa7134_video_init1(struct saa7134_dev *dev)
 
 void saa7134_video_fini(struct saa7134_dev *dev)
 {
+	del_timer_sync(&dev->video_q.timeout);
 	/* free stuff */
 	vb2_queue_release(&dev->video_vbq);
 	saa7134_pgtable_free(dev->pci, &dev->video_q.pt);
author	Zheng Wang <zyytlz.wz@163.com>	2023-03-18 16:50:23 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2023-05-17 11:35:38 +0200
commit	a4b6ab360f56ccdcde29eab29f493d8c464c3ffb (patch)
tree	073b1e82b6788bf83a92058de1348f7ecffab518 /drivers
parent	cd1583caed7ea879ecb638ed876960e41363b7b6 (diff)
download	linux-stable-a4b6ab360f56ccdcde29eab29f493d8c464c3ffb.tar.gz linux-stable-a4b6ab360f56ccdcde29eab29f493d8c464c3ffb.tar.bz2 linux-stable-a4b6ab360f56ccdcde29eab29f493d8c464c3ffb.zip