Zheng Wang 2f48c0a463 media: saa7134: fix use after free bug in saa7134_finidev due to race condition ... [ Upstream commit 30cf57da17 ] In saa7134_initdev, it will call saa7134_hwinit1. There are three function invoking here: saa7134_video_init1, saa7134_ts_init1 and saa7134_vbi_init1. All of them will init a timer with same function. Take saa7134_video_init1 as an example. It'll bound &dev->video_q.timeout with saa7134_buffer_timeout. In buffer_activate, the timer funtcion is started. If we remove the module or device which will call saa7134_finidev to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the timer works accordingly before cleanup in saa7134_finidev. CPU0 CPU1 |saa7134_buffer_timeout saa7134_finidev | kfree(dev); | | | saa7134_buffer_next | //use dev Fixes: 1e7126b4a8 ("media: saa7134: Convert timers to use timer_setup()") Signed-off-by: Zheng Wang <zyytlz.wz@163.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Sasha Levin <sashal@kernel.org>		2023-05-11 23:00:24 +09:00
..
b2c2	…
bt8xx	…
cobalt	…
cx18	…
cx88	media: cx88: Fix a null-ptr-deref bug in buffer_prepare()	2022-10-26 12:35:45 +02:00
cx23885	…
cx25821	…
ddbridge	…
dm1105	media: dm1105: Fix use after free bug in dm1105_remove due to race condition	2023-05-11 23:00:24 +09:00
dt3155	…
intel	media: ipu3-cio2: Fix PM runtime usage_count in driver unbind	2023-03-10 09:40:09 +01:00
ivtv	…
mantis	…
meye	…
netup_unidvb	…
ngene	…
pluto2	…
pt1	…
pt3	…
saa7134	media: saa7134: fix use after free bug in saa7134_finidev due to race condition	2023-05-11 23:00:24 +09:00
saa7146	…
saa7164	media: saa7164: fix missing pci_disable_device()	2022-12-31 13:14:16 +01:00
smipcie	…
solo6x10	media: solo6x10: fix possible memory leak in solo_sysfs_init()	2022-12-31 13:14:11 +01:00
sta2x11	…
ttpci	…
tw68	…
tw686x	media: tw686x: Fix memory leak in tw686x_video_init	2022-08-17 14:23:24 +02:00
tw5864	…
Kconfig	…
Makefile	…