Re: [PATCH v3] media: bttv: fix use after free error due to btv->timeout timer

Zheng Hacker <hackerzheng666@xxxxxxxxx> · Thu, 13 Apr 2023 18:00:40 +0800

Hans Verkuil <hverkuil@xxxxxxxxx> 于2023年4月13日周四 17:18写道：
>
> Hi Zheng,
>
> Deb Brouwer is working on converting bttv to the vb2 framework, so I want to
> wait for that to finish before taking other bttv patches.
>
> I suspect this is still valid post-vb2 conversion, but I'm not certain.
>
> Regards,
>
>         Hans
>

Hi Hans,

Thank you for your prompt response and for letting me know about the
conversion of BTTV to the vb2 framework by Deb Brouwer.
 I will wait for that to finish before submitting any other BTTV patches.

Best regards,
Zheng

> On 13/04/2023 05:49, Zheng Wang wrote:
> > There may be some a race condition between timer function
> > bttv_irq_timeout and bttv_remove. The timer is setup in
> > probe and there is no timer_delete operation in remove
> > function. When it hit kfree btv, the function might still be
> > invoked, which will cause use after free bug.
> >
> > This bug is found by static analysis, it may be false positive.
> >
> > Fix it by adding del_timer_sync invoking to the remove function.
> >
> > cpu0                cpu1
> >                   bttv_probe
> >                     ->timer_setup
> >                       ->bttv_set_dma
> >                         ->mod_timer;
> > bttv_remove
> >   ->kfree(btv);
> >                   ->bttv_irq_timeout
> >                     ->USE btv
> >
> > Fixes: 162e6376ac58 ("media: pci: Convert timers to use timer_setup()")
> > Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
> > ---
> > v3:
> > - Add Fix label
> > v2:
> > - stop replacing del_timer with del_timer_sync suggested by Hillf Danton
> > ---
> >  drivers/media/pci/bt8xx/bttv-driver.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c
> > index d40b537f4e98..24ba5729969d 100644
> > --- a/drivers/media/pci/bt8xx/bttv-driver.c
> > +++ b/drivers/media/pci/bt8xx/bttv-driver.c
> > @@ -4248,6 +4248,7 @@ static void bttv_remove(struct pci_dev *pci_dev)
> >
> >       /* free resources */
> >       free_irq(btv->c.pci->irq,btv);
> > +     del_timer_sync(&btv->timeout);
> >       iounmap(btv->bt848_mmio);
> >       release_mem_region(pci_resource_start(btv->c.pci,0),
> >                          pci_resource_len(btv->c.pci,0));
>