linux/drivers/media/pci/saa7134/saa7134-vbi.c
Zheng Wang 30cf57da17 media: saa7134: fix use after free bug in saa7134_finidev due to race condition
In saa7134_initdev, it will call saa7134_hwinit1. There are three
function invoking here: saa7134_video_init1, saa7134_ts_init1
and saa7134_vbi_init1.

All of them will init a timer with same function. Take
saa7134_video_init1 as an example. It'll bound &dev->video_q.timeout
with saa7134_buffer_timeout.

In buffer_activate, the timer funtcion is started.

If we remove the module or device which will call saa7134_finidev
to make cleanup, there may be a unfinished work. The
possible sequence is as follows, which will cause a
typical UAF bug.

Fix it by canceling the timer works accordingly before cleanup in
saa7134_finidev.

CPU0                  CPU1

                    |saa7134_buffer_timeout
saa7134_finidev     |
  kfree(dev);       |
                    |
                    | saa7134_buffer_next
                    | //use dev

Fixes: 1e7126b4a86a ("media: saa7134: Convert timers to use timer_setup()")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2023-04-11 17:10:10 +02:00

211 lines
6.1 KiB
C

// SPDX-License-Identifier: GPL-2.0-or-later
/*
*
* device driver for philips saa7134 based TV cards
* video4linux video interface
*
* (c) 2001,02 Gerd Knorr <kraxel@bytesex.org> [SuSE Labs]
*/
#include "saa7134.h"
#include "saa7134-reg.h"
#include <linux/init.h>
#include <linux/list.h>
#include <linux/module.h>
#include <linux/kernel.h>
/* ------------------------------------------------------------------ */
static unsigned int vbi_debug;
module_param(vbi_debug, int, 0644);
MODULE_PARM_DESC(vbi_debug,"enable debug messages [vbi]");
static unsigned int vbibufs = 4;
module_param(vbibufs, int, 0444);
MODULE_PARM_DESC(vbibufs,"number of vbi buffers, range 2-32");
#define vbi_dbg(fmt, arg...) do { \
if (vbi_debug) \
printk(KERN_DEBUG pr_fmt("vbi: " fmt), ## arg); \
} while (0)
/* ------------------------------------------------------------------ */
#define VBI_LINE_COUNT 17
#define VBI_LINE_LENGTH 2048
#define VBI_SCALE 0x200
static void task_init(struct saa7134_dev *dev, struct saa7134_buf *buf,
int task)
{
struct saa7134_tvnorm *norm = dev->tvnorm;
/* setup video scaler */
saa_writeb(SAA7134_VBI_H_START1(task), norm->h_start & 0xff);
saa_writeb(SAA7134_VBI_H_START2(task), norm->h_start >> 8);
saa_writeb(SAA7134_VBI_H_STOP1(task), norm->h_stop & 0xff);
saa_writeb(SAA7134_VBI_H_STOP2(task), norm->h_stop >> 8);
saa_writeb(SAA7134_VBI_V_START1(task), norm->vbi_v_start_0 & 0xff);
saa_writeb(SAA7134_VBI_V_START2(task), norm->vbi_v_start_0 >> 8);
saa_writeb(SAA7134_VBI_V_STOP1(task), norm->vbi_v_stop_0 & 0xff);
saa_writeb(SAA7134_VBI_V_STOP2(task), norm->vbi_v_stop_0 >> 8);
saa_writeb(SAA7134_VBI_H_SCALE_INC1(task), VBI_SCALE & 0xff);
saa_writeb(SAA7134_VBI_H_SCALE_INC2(task), VBI_SCALE >> 8);
saa_writeb(SAA7134_VBI_PHASE_OFFSET_LUMA(task), 0x00);
saa_writeb(SAA7134_VBI_PHASE_OFFSET_CHROMA(task), 0x00);
saa_writeb(SAA7134_VBI_H_LEN1(task), dev->vbi_hlen & 0xff);
saa_writeb(SAA7134_VBI_H_LEN2(task), dev->vbi_hlen >> 8);
saa_writeb(SAA7134_VBI_V_LEN1(task), dev->vbi_vlen & 0xff);
saa_writeb(SAA7134_VBI_V_LEN2(task), dev->vbi_vlen >> 8);
saa_andorb(SAA7134_DATA_PATH(task), 0xc0, 0x00);
}
/* ------------------------------------------------------------------ */
static int buffer_activate(struct saa7134_dev *dev,
struct saa7134_buf *buf,
struct saa7134_buf *next)
{
struct saa7134_dmaqueue *dmaq = buf->vb2.vb2_buf.vb2_queue->drv_priv;
unsigned long control, base;
vbi_dbg("buffer_activate [%p]\n", buf);
buf->top_seen = 0;
task_init(dev, buf, TASK_A);
task_init(dev, buf, TASK_B);
saa_writeb(SAA7134_OFMT_DATA_A, 0x06);
saa_writeb(SAA7134_OFMT_DATA_B, 0x06);
/* DMA: setup channel 2+3 (= VBI Task A+B) */
base = saa7134_buffer_base(buf);
control = SAA7134_RS_CONTROL_BURST_16 |
SAA7134_RS_CONTROL_ME |
(dmaq->pt.dma >> 12);
saa_writel(SAA7134_RS_BA1(2), base);
saa_writel(SAA7134_RS_BA2(2), base + dev->vbi_hlen * dev->vbi_vlen);
saa_writel(SAA7134_RS_PITCH(2), dev->vbi_hlen);
saa_writel(SAA7134_RS_CONTROL(2), control);
saa_writel(SAA7134_RS_BA1(3), base);
saa_writel(SAA7134_RS_BA2(3), base + dev->vbi_hlen * dev->vbi_vlen);
saa_writel(SAA7134_RS_PITCH(3), dev->vbi_hlen);
saa_writel(SAA7134_RS_CONTROL(3), control);
/* start DMA */
saa7134_set_dmabits(dev);
mod_timer(&dmaq->timeout, jiffies + BUFFER_TIMEOUT);
return 0;
}
static int buffer_prepare(struct vb2_buffer *vb2)
{
struct saa7134_dmaqueue *dmaq = vb2->vb2_queue->drv_priv;
struct saa7134_dev *dev = dmaq->dev;
struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb2);
struct saa7134_buf *buf = container_of(vbuf, struct saa7134_buf, vb2);
struct sg_table *dma = vb2_dma_sg_plane_desc(vb2, 0);
unsigned int size;
if (dma->sgl->offset) {
pr_err("The buffer is not page-aligned\n");
return -EINVAL;
}
size = dev->vbi_hlen * dev->vbi_vlen * 2;
if (vb2_plane_size(vb2, 0) < size)
return -EINVAL;
vb2_set_plane_payload(vb2, 0, size);
return saa7134_pgtable_build(dev->pci, &dmaq->pt, dma->sgl, dma->nents,
saa7134_buffer_startpage(buf));
}
static int queue_setup(struct vb2_queue *q,
unsigned int *nbuffers, unsigned int *nplanes,
unsigned int sizes[], struct device *alloc_devs[])
{
struct saa7134_dmaqueue *dmaq = q->drv_priv;
struct saa7134_dev *dev = dmaq->dev;
unsigned int size;
dev->vbi_vlen = dev->tvnorm->vbi_v_stop_0 - dev->tvnorm->vbi_v_start_0 + 1;
if (dev->vbi_vlen > VBI_LINE_COUNT)
dev->vbi_vlen = VBI_LINE_COUNT;
dev->vbi_hlen = VBI_LINE_LENGTH;
size = dev->vbi_hlen * dev->vbi_vlen * 2;
*nbuffers = saa7134_buffer_count(size, *nbuffers);
*nplanes = 1;
sizes[0] = size;
return 0;
}
static int buffer_init(struct vb2_buffer *vb2)
{
struct saa7134_dmaqueue *dmaq = vb2->vb2_queue->drv_priv;
struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb2);
struct saa7134_buf *buf = container_of(vbuf, struct saa7134_buf, vb2);
dmaq->curr = NULL;
buf->activate = buffer_activate;
return 0;
}
const struct vb2_ops saa7134_vbi_qops = {
.queue_setup = queue_setup,
.buf_init = buffer_init,
.buf_prepare = buffer_prepare,
.buf_queue = saa7134_vb2_buffer_queue,
.wait_prepare = vb2_ops_wait_prepare,
.wait_finish = vb2_ops_wait_finish,
.start_streaming = saa7134_vb2_start_streaming,
.stop_streaming = saa7134_vb2_stop_streaming,
};
/* ------------------------------------------------------------------ */
int saa7134_vbi_init1(struct saa7134_dev *dev)
{
INIT_LIST_HEAD(&dev->vbi_q.queue);
timer_setup(&dev->vbi_q.timeout, saa7134_buffer_timeout, 0);
dev->vbi_q.dev = dev;
if (vbibufs < 2)
vbibufs = 2;
if (vbibufs > VIDEO_MAX_FRAME)
vbibufs = VIDEO_MAX_FRAME;
return 0;
}
int saa7134_vbi_fini(struct saa7134_dev *dev)
{
/* nothing */
del_timer_sync(&dev->vbi_q.timeout);
return 0;
}
void saa7134_irq_vbi_done(struct saa7134_dev *dev, unsigned long status)
{
spin_lock(&dev->slock);
if (dev->vbi_q.curr) {
/* make sure we have seen both fields */
if ((status & 0x10) == 0x00) {
dev->vbi_q.curr->top_seen = 1;
goto done;
}
if (!dev->vbi_q.curr->top_seen)
goto done;
saa7134_buffer_finish(dev, &dev->vbi_q, VB2_BUF_STATE_DONE);
}
saa7134_buffer_next(dev, &dev->vbi_q);
done:
spin_unlock(&dev->slock);
}