Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3709075imu; Mon, 28 Jan 2019 09:24:28 -0800 (PST) X-Google-Smtp-Source: ALg8bN5uj+AHNRJijjDEjY8WST7xwn/Kn43Wv7dBaZ7+166xJ28Wg6QUgt+zqR75DTkCr7lOKt/+ X-Received: by 2002:a62:2f06:: with SMTP id v6mr22973605pfv.216.1548696268783; Mon, 28 Jan 2019 09:24:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548696268; cv=none; d=google.com; s=arc-20160816; b=e117qXUcsNqBIJDpsi+CCK5osy9Fc/JN0XzTZ4Hovht7YrcUmbujWYR91SKWnrnrCb fMJKmCMgsbFKOZ7ceBcOxj0bMfKLpCIzn08COJmpQKr34YYmAPBjDGmsloCFiE3TuU8b Gjhj45oqlyrYlR098hS7tnnY0b9Gol4tp4dubEode8lzfirZr/00yPCDUxuPKjXzGPxA 6YYPMxQn1Xgy5QwHB67iWmdCX23hO0ehCUKqMLnUy/W3GjCd5e1Hana+b4nyv21ojCsJ I5WZopyZBYG9REb0FKMfTKssxxbjVaVMmDnFytFxqtJNNHUU9QxKPHEX7KFy0Yxe4AGk YJfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=rpjxlI9AQWhCpze5GPanwaFfYcxPnGcbwi21ICU8DnU=; b=Q9QgUp/jDKqzv7YPMj5jLdFa0LaTUNircpiw3VrVs0/8HRX8pRsY7+M70wd0Z/M/pa OW3niHLaisfUDFht3toizmDsaax+eebFhx5PR3/xvzbZWlcKBk/lRPktJlEBfJg0LVDu huOQYXjEwkBj98p9DX/xe5ESCTqwOVrZlHOZUfiNfqYHr/LM4sRxm4cE6N6QdE2fcJV6 +b0YGckquHd/VRNZPTB7W7AAUuU71WCxPIyHuunY9p3p7QjrK1j1/tKq2QJElClTF06d FqUYWwTFzbXzKg3+O89eEeL7a+rG5Oz4gaM8jYilH3LGLPqHVKKhEjQ4VkRog9ZheaWa 5CnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wICo8uWX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e15si32784870pgm.25.2019.01.28.09.24.13; Mon, 28 Jan 2019 09:24:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wICo8uWX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731349AbfA1RYH (ORCPT + 99 others); Mon, 28 Jan 2019 12:24:07 -0500 Received: from mail.kernel.org ([198.145.29.99]:47136 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731148AbfA1QB5 (ORCPT ); Mon, 28 Jan 2019 11:01:57 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EEB2C21916; Mon, 28 Jan 2019 16:01:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548691316; bh=xBUip2RE/d4z9KAwPhr1oJHHpeWArlCt1Hlk6jhWcOA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wICo8uWXFKc4ZWu9dRQPqJpv1JKygxweaFNQkCZvxzvcG61RifdlfGZglviO717/5 WeB70UzKWH91/WJviAWj9/+EKqobFyrGIMCvYPP6kSNTeOxwkNsodoND+dq7rgHMJI qPL2z/E6+QUFaOJn7x3CbklQZamGuP1Kn12+Wlmc= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Akinobu Mita , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin , linux-media@vger.kernel.org Subject: [PATCH AUTOSEL 4.19 056/258] media: video-i2c: avoid accessing released memory area when removing driver Date: Mon, 28 Jan 2019 10:56:02 -0500 Message-Id: <20190128155924.51521-56-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190128155924.51521-1-sashal@kernel.org> References: <20190128155924.51521-1-sashal@kernel.org> MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Akinobu Mita [ Upstream commit c764da98a600a4b068d25c77164f092f159cecec ] The video device release() callback for video-i2c driver frees the whole struct video_i2c_data. If there is no user left for the video device when video_unregister_device() is called, the release callback is executed. However, in video_i2c_remove() some fields (v4l2_dev, lock, and queue_lock) in struct video_i2c_data are still accessed after video_unregister_device() is called. This fixes the use after free by moving the code from video_i2c_remove() to the release() callback. Fixes: 5cebaac60974 ("media: video-i2c: add video-i2c driver") Reviewed-by: Matt Ranostay Signed-off-by: Akinobu Mita Acked-by: Sakari Ailus Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/i2c/video-i2c.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/media/i2c/video-i2c.c b/drivers/media/i2c/video-i2c.c index 06d29d8f6be8..f27d294dcbef 100644 --- a/drivers/media/i2c/video-i2c.c +++ b/drivers/media/i2c/video-i2c.c @@ -510,7 +510,12 @@ static const struct v4l2_ioctl_ops video_i2c_ioctl_ops = { static void video_i2c_release(struct video_device *vdev) { - kfree(video_get_drvdata(vdev)); + struct video_i2c_data *data = video_get_drvdata(vdev); + + v4l2_device_unregister(&data->v4l2_dev); + mutex_destroy(&data->lock); + mutex_destroy(&data->queue_lock); + kfree(data); } static int video_i2c_probe(struct i2c_client *client, @@ -608,10 +613,6 @@ static int video_i2c_remove(struct i2c_client *client) struct video_i2c_data *data = i2c_get_clientdata(client); video_unregister_device(&data->vdev); - v4l2_device_unregister(&data->v4l2_dev); - - mutex_destroy(&data->lock); - mutex_destroy(&data->queue_lock); return 0; } -- 2.19.1