[PATCH 0/3] media: meson-ir-tx: Some cleanups and simplifications and a bug report
Uwe Kleine-König
u.kleine-koenig at pengutronix.de
Thu Oct 26 03:18:17 PDT 2023
Hello,
while looking around for drivers still using platform_driver_probe() I
found the meson-ir-tx driver. While looking at it I identified a few
patch opportunities.
I think the driver might be used to trigger a use after free problem
that is caused by the ir core. With my current understanding the
following is possible:
1) open the ir device and keep it open
2) unbind the meson-ir-tx device
3) trigger calling .tx_ir = meson_irtx_transmit using the opened
device using write()
2) can be done using sysfs or (maybe) by module unloading. The result is
that the memory pointed to by ir is freed and the register mapping goes
away. Even meson_irtx_transmit() might disappear then. Calling
meson_irtx_transmit() then yields all kind of fun.
I didn't debug in detail so I might miss something. To fix that you have
to make sure that the callbacks don't get called any more once the rc
device is unregistered (and track that information in memory that
doesn't go away with the parent device's remove callback completing).
Best regards
Uwe
Uwe Kleine-König (3):
media: meson-ir-tx: Convert to use devm_rc_register_device()
media: meson-ir-tx: Simplify and improve using dev_err_probe()
media: meson-ir-tx: Drop usage of platform_driver_probe()
drivers/media/rc/meson-ir-tx.c | 34 ++++++++++------------------------
1 file changed, 10 insertions(+), 24 deletions(-)
base-commit: 0bb80ecc33a8fb5a682236443c1e740d5c917d1d
--
2.42.0
More information about the linux-arm-kernel
mailing list