From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 548A9C433ED for ; Wed, 5 May 2021 09:33:50 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A73E86115C for ; Wed, 5 May 2021 09:33:49 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A73E86115C Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=xs4all.nl Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date:Message-ID:From: References:Cc:To:Subject:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=a3UcrbHvG+k91PFJM6SWEqA1paJS30ep6H0kiVK0KLA=; b=CEUL99qHlcz8FMRr/fnOTwYEh 0QwPaFM52KGjkPdtfTDsQdN1a5jd9Im6JPiRtZNi42/63c4ly1BLK4pTUW7P6lumExSCWAa5uRmHz eS/6BkaLcUs7L3wASQO+opYO3XzL28jJ9UlfEtj92j0JDMqLDjnlBUH9mj5zdEV6k0KPdEEvZNTR4 n9JiEAw+jfdN9T4NrfqH8GPioLNpNWlPH+ookEc1beDLKNcJH4NEnvMJI/+W88pVcWsabsXBuSIvF OzRP6SsrEuMsPQVLMv8crEmCnOt4GO+KVi0UUnh7nfFbwVSWZr5EjP9zrwoQ7xXugs83HcbehTtYX W7h0fXo6g==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1leDsM-000j8Z-V9; Wed, 05 May 2021 09:31:27 +0000 Received: from bombadil.infradead.org ([2607:7c80:54:e::133]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1leDsJ-000j8N-9n for linux-arm-kernel@desiato.infradead.org; Wed, 05 May 2021 09:31:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To: Subject:Sender:Reply-To:Content-ID:Content-Description; bh=1f2m7EYMttRsQnXbEhfemDohFdPiPwDAM81ywOimWUo=; b=ENj3pPg6JbyLeEDlNdQdmeUVVI kDwx3Tw3ArHlRXF0EF12AG3H6F07954onOGt8MuqqVKERkSI1R5kx05yJvsDtnfYycFHPzLsS879w PDZk5wE2a975sfSWpJtoWgXcGihi7xL9x3PwVgzRuqFuvbu8L0u3iiVByWbGB4VuJLylzu+6MmAhJ 8e/r8wbFQYzt08nRAJ2C/D+tkGEOkZNNTicfMNvasvSRKE8mrvgrIrVV5vEG0jQ/QKYZyeRKdx2cb S9WReRUU1NE795blrOClFEYDFcQ7RtM0bp8WOPpasVjHQGWOIv14MHJoPxsEEJ5Zfp2ie+ii2JskE Nf4q4ApQ==; Received: from lb3-smtp-cloud7.xs4all.net ([194.109.24.31]) by bombadil.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1leDsG-004cAE-A5 for linux-arm-kernel@lists.infradead.org; Wed, 05 May 2021 09:31:22 +0000 Received: from cust-b5b5937f ([IPv6:fc0c:c16d:66b8:757f:c639:739b:9d66:799d]) by smtp-cloud7.xs4all.net with ESMTPA id eDs0lkg6lyEWweDs3lupll; Wed, 05 May 2021 11:31:14 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xs4all.nl; s=s2; t=1620207074; bh=1f2m7EYMttRsQnXbEhfemDohFdPiPwDAM81ywOimWUo=; h=Subject:To:From:Message-ID:Date:MIME-Version:Content-Type:From: Subject; b=UpLNkD2W8VUOtGSl5shiX4yuPXA0FjY552bHDeayXXJ3caN/njoWO3i24ZqKUoQ8V 4C55dfqvBdOyXSR2XHk8woIKVgmVRmJvEclx0cgRMPjKt3eqld6Xg3yJw3fVIeiiO7 lWDTTnthGim5DcvltKy/paUSJG7i+EWSpyl+M13uHXJpvcZg97dZnfwzOVdudWaS+3 uIKmF+QRREUN0XStCcjKSJgN7RlO+z/FkgxdwWu1haLHswZy89QL7YXzgufeCq3vcQ qaEfAr7BZ5h8/hKyMiSNE5i7FNeInPd8FbqDMs10eoB58WStywZZ8CaH4aVReqzoUY KGfgCxR1nrb+w== Subject: Re: [PATCH v3] media:exynos4-is: Fix a use after free in isp_video_release To: Lv Yunlong , s.nawrocki@samsung.com, mchehab@kernel.org, krzk@kernel.org Cc: linux-media@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org References: <20210427132734.5212-1-lyl2019@mail.ustc.edu.cn> From: Hans Verkuil Message-ID: <44f264d9-e039-66b6-6e4b-1a5b3c386aa4@xs4all.nl> Date: Wed, 5 May 2021 11:31:04 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Thunderbird/78.9.0 MIME-Version: 1.0 In-Reply-To: <20210427132734.5212-1-lyl2019@mail.ustc.edu.cn> Content-Language: en-US X-CMAE-Envelope: MS4xfBUyQI064gF4n7oUEovx3XiNBp/e9PzY0hj0Lc/zTjmgz1NsUparW1XpjD4P/9bfkAy2U1EmrVbxjKrdXDC0Z0MTg937lbs2QDPtutWYJCvvl46rkHYr fIN3YjCzyhLXAD/57J2rV2YQ1EOdCiToNxcGcur35RsIIVAZW25TXzE6za5DytSGVvsyqtYaQvfntzHb3nxI8wKbt8SKgR//emp7Ph2B51dlEoA2jzC3BiG4 Csf+FjxuRSlEc4HE9uy65x34UWjhva3UzRQC1gz2OzmssN6a5VeN3P6Pu0NpE3VgC4aLpqLg3mvG1UtcpQUIfIRTObhUGSbhpz4HFRvPTscgWcTI2erqR7R6 oRLbhGM31if61UpPUzJAhN0yPX9ta703jdZy2hl3/KJS5FuIcODwCd+fOgAjLoouNXxMRu8o9WhLGVLoaOZFiO/MlmPNI+TfetsJDsX4QkmewDSAOZg= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210505_023120_508759_7E700CA7 X-CRM114-Status: GOOD ( 20.61 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi Lv Yunlong, On 27/04/2021 15:27, Lv Yunlong wrote: > In isp_video_release, file->private_data is freed via > _vb2_fop_release()->v4l2_fh_release(). But the freed > file->private_data is still used in v4l2_fh_is_singular_file() > ->v4l2_fh_is_singular(file->private_data), which is a use > after free bug. > > My patch sets file->private_data to NULL after _vb2_fop_release() > to avoid the use after free, and uses a variable 'is_singular_file' > to keep the original function unchanged. Actually, it is the use of 'is_singular_file' that fixes the bug, the 'file->private_data = NULL;' is unnecessary here. That said, it would be a really good idea if in a separate patch you make v4l2_fh_release() more robust by setting filp->private_data to NULL after the kfree(fh). Regards, Hans > > Fixes: 34947b8aebe3f ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver") > Signed-off-by: Lv Yunlong > --- > drivers/media/platform/exynos4-is/fimc-isp-video.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/platform/exynos4-is/fimc-isp-video.c b/drivers/media/platform/exynos4-is/fimc-isp-video.c > index 612b9872afc8..c07dcb0bccc2 100644 > --- a/drivers/media/platform/exynos4-is/fimc-isp-video.c > +++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c > @@ -306,17 +306,21 @@ static int isp_video_release(struct file *file) > struct fimc_is_video *ivc = &isp->video_capture; > struct media_entity *entity = &ivc->ve.vdev.entity; > struct media_device *mdev = entity->graph_obj.mdev; > + bool is_singular_file; > > mutex_lock(&isp->video_lock); > > - if (v4l2_fh_is_singular_file(file) && ivc->streaming) { > + is_singular_file = v4l2_fh_is_singular_file(file); > + > + if (is_singular_file && ivc->streaming) { > media_pipeline_stop(entity); > ivc->streaming = 0; > } > > _vb2_fop_release(file, NULL); > + file->private_data = NULL; > > - if (v4l2_fh_is_singular_file(file)) { > + if (is_singular_file) { > fimc_pipeline_call(&ivc->ve, close); > > mutex_lock(&mdev->graph_mutex); > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel