From 6990570f7e0a6078e11b9c5dc13f4b6e3f49a398 Mon Sep 17 00:00:00 2001 From: Dafna Hirschfeld Date: Wed, 19 Feb 2020 16:25:54 +0100 Subject: media: v4l2-core: fix a use-after-free bug of sd->devnode sd->devnode is released after calling v4l2_subdev_release. Therefore it should be set to NULL so that the subdev won't hold a pointer to a released object. This fixes a reference after free bug in function v4l2_device_unregister_subdev Fixes: 0e43734d4c46e ("media: v4l2-subdev: add release() internal op") Cc: stable@vger.kernel.org Signed-off-by: Dafna Hirschfeld Reviewed-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- drivers/media/v4l2-core/v4l2-device.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/media/v4l2-core/v4l2-device.c') diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c index 63d6b147b21e..41da73ce2e98 100644 --- a/drivers/media/v4l2-core/v4l2-device.c +++ b/drivers/media/v4l2-core/v4l2-device.c @@ -179,6 +179,7 @@ static void v4l2_subdev_release(struct v4l2_subdev *sd) if (sd->internal_ops && sd->internal_ops->release) sd->internal_ops->release(sd); + sd->devnode = NULL; module_put(owner); } -- cgit From aead0ffbf078e0098ca6cfd1625029ff9347b10d Mon Sep 17 00:00:00 2001 From: Eugen Hristev Date: Wed, 26 Feb 2020 16:28:16 +0100 Subject: media: v4l2-core: fix entity initialization in device_register_subdev The entity variable was being initialized in the wrong place, before the parameters have been checked. To solve this, completely removed the entity variable and replaced it with the initialization value : &sd->entity. This will avoid dereferencing 'sd' pointer before it's being checked if it's NULL. Fixes: 61f5db549dde ("[media] v4l: Make v4l2_subdev inherit from media_entity") Signed-off-by: Eugen Hristev Acked-by: Sakari Ailus Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- drivers/media/v4l2-core/v4l2-device.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'drivers/media/v4l2-core/v4l2-device.c') diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c index 41da73ce2e98..c69941214bb2 100644 --- a/drivers/media/v4l2-core/v4l2-device.c +++ b/drivers/media/v4l2-core/v4l2-device.c @@ -111,9 +111,6 @@ EXPORT_SYMBOL_GPL(v4l2_device_unregister); int v4l2_device_register_subdev(struct v4l2_device *v4l2_dev, struct v4l2_subdev *sd) { -#if defined(CONFIG_MEDIA_CONTROLLER) - struct media_entity *entity = &sd->entity; -#endif int err; /* Check for valid input */ @@ -143,7 +140,7 @@ int v4l2_device_register_subdev(struct v4l2_device *v4l2_dev, #if defined(CONFIG_MEDIA_CONTROLLER) /* Register the entity. */ if (v4l2_dev->mdev) { - err = media_device_register_entity(v4l2_dev->mdev, entity); + err = media_device_register_entity(v4l2_dev->mdev, &sd->entity); if (err < 0) goto error_module; } @@ -163,7 +160,7 @@ int v4l2_device_register_subdev(struct v4l2_device *v4l2_dev, error_unregister: #if defined(CONFIG_MEDIA_CONTROLLER) - media_device_unregister_entity(entity); + media_device_unregister_entity(&sd->entity); #endif error_module: if (!sd->owner_v4l2_dev) -- cgit