From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8AD94C433E2 for ; Tue, 8 Sep 2020 18:31:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4B58E2080C for ; Tue, 8 Sep 2020 18:31:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1599589866; bh=dSgfDF7A+7Ljbs8JZpiJIeXcJxK9p0Odimxqp23FnoM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=H92cXbRerPwCUfsuLK6B7WtwaZt4h4mdFnf10xGTASOXscKBJhOE5vHjnwN4R+iLO tIYuruPNFmFXCSYi5Kk7fOvbS5+FFGFkM3u2/zdnDWSZd8Ds7+w34Cd4U/2dhC2bRT wFTXPKFtq+9Gnu+TMlHM/fPoc76UzE+bSeNn2fxc= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731781AbgIHSbE (ORCPT ); Tue, 8 Sep 2020 14:31:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:53538 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731382AbgIHQJi (ORCPT ); Tue, 8 Sep 2020 12:09:38 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 02D2E24641; Tue, 8 Sep 2020 15:50:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1599580206; bh=dSgfDF7A+7Ljbs8JZpiJIeXcJxK9p0Odimxqp23FnoM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Kg+314HE8WH2lxtTDmsYluclG0oTPnCTB0c80VymJEw3ki87hEqyRL+RrlWZn6JlY 778QuF3NIG4dCkb/jEXkWnoj4deXhWMna19IAvxakGDzNCcstV+VEIgjMa29PWqiKi UTe2XglTx1A+hsHNBlFD0qiYt6qdJv7dz8KjAsWY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+ceef16277388d6f24898@syzkaller.appspotmail.com, Hillf Danton , Sean Young , Mauro Carvalho Chehab Subject: [PATCH 4.19 72/88] media: rc: uevent sysfs file races with rc_unregister_device() Date: Tue, 8 Sep 2020 17:26:13 +0200 Message-Id: <20200908152224.785231848@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200908152221.082184905@linuxfoundation.org> References: <20200908152221.082184905@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Young commit 4f0835d6677dc69263f90f976524cb92b257d9f4 upstream. Only report uevent file contents if device still registered, else we might read freed memory. Reported-by: syzbot+ceef16277388d6f24898@syzkaller.appspotmail.com Cc: Hillf Danton Cc: # 4.16+ Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/rc/rc-main.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) --- a/drivers/media/rc/rc-main.c +++ b/drivers/media/rc/rc-main.c @@ -1568,25 +1568,25 @@ static void rc_dev_release(struct device kfree(dev); } -#define ADD_HOTPLUG_VAR(fmt, val...) \ - do { \ - int err = add_uevent_var(env, fmt, val); \ - if (err) \ - return err; \ - } while (0) - static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env) { struct rc_dev *dev = to_rc_dev(device); + int ret = 0; - if (dev->rc_map.name) - ADD_HOTPLUG_VAR("NAME=%s", dev->rc_map.name); - if (dev->driver_name) - ADD_HOTPLUG_VAR("DRV_NAME=%s", dev->driver_name); - if (dev->device_name) - ADD_HOTPLUG_VAR("DEV_NAME=%s", dev->device_name); + mutex_lock(&dev->lock); - return 0; + if (!dev->registered) + ret = -ENODEV; + if (ret == 0 && dev->rc_map.name) + ret = add_uevent_var(env, "NAME=%s", dev->rc_map.name); + if (ret == 0 && dev->driver_name) + ret = add_uevent_var(env, "DRV_NAME=%s", dev->driver_name); + if (ret == 0 && dev->device_name) + ret = add_uevent_var(env, "DEV_NAME=%s", dev->device_name); + + mutex_unlock(&dev->lock); + + return ret; } /* @@ -1970,14 +1970,14 @@ void rc_unregister_device(struct rc_dev del_timer_sync(&dev->timer_keyup); del_timer_sync(&dev->timer_repeat); - rc_free_rx_device(dev); - mutex_lock(&dev->lock); if (dev->users && dev->close) dev->close(dev); dev->registered = false; mutex_unlock(&dev->lock); + rc_free_rx_device(dev); + /* * lirc device should be freed with dev->registered = false, so * that userspace polling will get notified.