Re: [PATCH v3] media: bttv: fix use after free error due to btv->timeout timer
From: Hans Verkuil
Date: Thu Apr 13 2023 - 05:19:08 EST
Hi Zheng,
Deb Brouwer is working on converting bttv to the vb2 framework, so I want to
wait for that to finish before taking other bttv patches.
I suspect this is still valid post-vb2 conversion, but I'm not certain.
Regards,
Hans
On 13/04/2023 05:49, Zheng Wang wrote:
> There may be some a race condition between timer function
> bttv_irq_timeout and bttv_remove. The timer is setup in
> probe and there is no timer_delete operation in remove
> function. When it hit kfree btv, the function might still be
> invoked, which will cause use after free bug.
>
> This bug is found by static analysis, it may be false positive.
>
> Fix it by adding del_timer_sync invoking to the remove function.
>
> cpu0 cpu1
> bttv_probe
> ->timer_setup
> ->bttv_set_dma
> ->mod_timer;
> bttv_remove
> ->kfree(btv);
> ->bttv_irq_timeout
> ->USE btv
>
> Fixes: 162e6376ac58 ("media: pci: Convert timers to use timer_setup()")
> Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
> ---
> v3:
> - Add Fix label
> v2:
> - stop replacing del_timer with del_timer_sync suggested by Hillf Danton
> ---
> drivers/media/pci/bt8xx/bttv-driver.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c
> index d40b537f4e98..24ba5729969d 100644
> --- a/drivers/media/pci/bt8xx/bttv-driver.c
> +++ b/drivers/media/pci/bt8xx/bttv-driver.c
> @@ -4248,6 +4248,7 @@ static void bttv_remove(struct pci_dev *pci_dev)
>
> /* free resources */
> free_irq(btv->c.pci->irq,btv);
> + del_timer_sync(&btv->timeout);
> iounmap(btv->bt848_mmio);
> release_mem_region(pci_resource_start(btv->c.pci,0),
> pci_resource_len(btv->c.pci,0));