android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
lineage-22.1
android_kernel_samsung_sm8650/drivers/media/pci/bt8xx
History
Zheng Wang 20568d06f6 media: bttv: fix use after free error due to btv->timeout timer 
[ Upstream commit bd5b50b329e850d467e7bcc07b2b6bde3752fbda ]

There may be some a race condition between timer function
bttv_irq_timeout and bttv_remove. The timer is setup in
probe and there is no timer_delete operation in remove
function. When it hit kfree btv, the function might still be
invoked, which will cause use after free bug.

This bug is found by static analysis, it may be false positive.

Fix it by adding del_timer_sync invoking to the remove function.

cpu0                cpu1
                  bttv_probe
                    ->timer_setup
                      ->bttv_set_dma
                        ->mod_timer;
bttv_remove
  ->kfree(btv);
                  ->bttv_irq_timeout
                    ->USE btv

Fixes: 162e6376ac ("media: pci: Convert timers to use timer_setup()")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-11-20 11:52:14 +01:00
..
bt848.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
bt878.c media: bt8xx: Fix a missing check bug in bt878_probe 2021-06-02 13:25:52 +02:00
bt878.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
btcx-risc.c media: bt8xx: avoid a useless memset 2020-11-27 14:09:34 +01:00
btcx-risc.h
bttv-audio-hook.c media: add SPDX headers to some files 2019-06-12 11:42:27 -04:00
bttv-audio-hook.h media: add SPDX headers to some files 2019-06-12 11:42:27 -04:00
bttv-cards.c media: drivers/media/pci/bt8xx/bttv-cards: fix typos 2021-04-06 10:35:28 +02:00
bttv-driver.c media: bttv: fix use after free error due to btv->timeout timer 2023-11-20 11:52:14 +01:00
bttv-gpio.c bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
bttv-i2c.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
bttv-if.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
bttv-input.c media: pci: bt8xx: convert to i2c_new_scanned_device 2020-01-08 14:31:54 +01:00
bttv-risc.c media: Bulk remove BUG_ON(in_interrupt()) 2020-11-16 10:31:10 +01:00
bttv-vbi.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
bttv.h
bttvp.h media: media/pci: don't set description for ENUM_FMT 2019-07-22 14:40:32 -04:00
dst_ca.c media: dvb: symbol fixup for dvb_attach() 2023-09-13 09:43:01 +02:00
dst_ca.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
dst_common.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 61 2019-05-24 17:36:45 +02:00
dst_priv.h
dst.c media: dvb: symbol fixup for dvb_attach() 2023-09-13 09:43:01 +02:00
dvb-bt8xx.c media: bt8xx: convert tasklets to use new tasklet_setup() API 2020-08-29 08:10:52 +02:00
dvb-bt8xx.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00
Kconfig media: Kconfig: cleanup VIDEO_DEV dependencies 2022-03-18 05:58:35 +01:00
Makefile