Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Linux kernel source tree
1,382,130 Commits 1 Branch 910 Tags 8.4 GiB
C 97.1%
Assembly 1%
Shell 0.6%
Rust 0.4%
Python 0.4%
Other 0.3%
Go to file
Duoming Zhou 40b7a19f32 media: tuner: xc5000: Fix use-after-free in xc5000_release 
The original code uses cancel_delayed_work() in xc5000_release(), which
does not guarantee that the delayed work item timer_sleep has fully
completed if it was already running. This leads to use-after-free scenarios
where xc5000_release() may free the xc5000_priv while timer_sleep is still
active and attempts to dereference the xc5000_priv.

A typical race condition is illustrated below:

CPU 0 (release thread)                 | CPU 1 (delayed work callback)
xc5000_release()                       | xc5000_do_timer_sleep()
  cancel_delayed_work()                |
  hybrid_tuner_release_state(priv)     |
    kfree(priv)                        |
                                       |   priv = container_of() // UAF

Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure
that the timer_sleep is properly canceled before the xc5000_priv memory
is deallocated.

A deadlock concern was considered: xc5000_release() is called in a process
context and is not holding any locks that the timer_sleep work item might
also need. Therefore, the use of the _sync() variant is safe here.

This bug was initially identified through static analysis.

Fixes: f7a27ff1fb ("[media] xc5000: delay tuner sleep to 5 seconds")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[hverkuil: fix typo in Subject: tunner -> tuner]
 		2025-09-17 12:15:35 +02:00
Documentation media: dt-bindings: Add qcom,qcs8300-camss compatible 2025-09-09 15:59:21 +02:00
LICENSES LICENSES: Replace the obsolete address of the FSF in the GFDL-1.2 2025-07-24 11:15:39 +02:00
arch - Fix an interrupt vector setup race which leads to a non-functioning device 2025-08-10 08:15:32 +03:00
block block-6.17-20250808 2025-08-09 08:47:28 +03:00
certs sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 2024-09-20 19:52:48 +03:00
crypto Significant patch series in this pull request: 2025-08-03 16:23:09 -07:00
drivers media: tuner: xc5000: Fix use-after-free in xc5000_release 2025-09-17 12:15:35 +02:00
fs NFS client updates for Linux 6.17 2025-08-09 07:20:44 +03:00
include media: uvcvideo: Support UVC_CROSXU_CONTROL_IQ_PROFILE 2025-09-13 18:35:02 +02:00
init Significant patch series in this pull request: 2025-08-03 16:23:09 -07:00
io_uring io_uring/memmap: cast nr_pages to size_t before shifting 2025-08-08 06:35:14 -06:00
ipc vfs-6.17-rc1.mmap_prepare 2025-07-28 13:43:25 -07:00
kernel - Remove an obsolete comment and fix spelling 2025-08-10 08:51:37 +03:00
lib block-6.17-20250808 2025-08-09 08:47:28 +03:00
mm Significant patch series in this pull request: 2025-08-05 16:02:07 +03:00
net NFS client updates for Linux 6.17 2025-08-09 07:20:44 +03:00
rust Rust changes for v6.17 2025-08-03 13:49:10 -07:00
samples media: v4l2-pci-skeleton: Rename second ioctl handlers argument to 'void *priv' 2025-08-13 08:33:59 +02:00
scripts Kbuild updates for v6.17 2025-08-06 07:32:52 +03:00
security + Features 2025-08-04 08:17:28 -07:00
sound gpio updates for v6.17-rc1 2025-08-09 08:15:43 +03:00
tools tools/power turbostat: version 2025.09.09 2025-08-10 09:02:36 +03:00
usr usr/include: openrisc: don't HDRTEST bpf_perf_event.h 2025-05-12 15:03:17 +09:00
virt Merge tag 'kvm-x86-no_assignment-6.17' of https://github.com/kvm-x86/linux into HEAD 2025-07-29 08:36:42 -04:00
.clang-format Linux 6.15-rc5 2025-05-06 16:39:25 +10:00
.clippy.toml rust: clean Rust 1.88.0's warning about `clippy::disallowed_macros` configuration 2025-05-07 00:11:47 +02:00
.cocciconfig
.editorconfig .editorconfig: remove trim_trailing_whitespace option 2024-06-13 16:47:52 +02:00
.get_maintainer.ignore MAINTAINERS: Retire Ralf Baechle 2024-11-12 15:48:59 +01:00
.gitattributes .gitattributes: set diff driver for Rust source code files 2023-05-31 17:48:25 +02:00
.gitignore gitignore: allow .pylintrc to be tracked 2025-07-02 17:10:04 -06:00
.mailmap MAINTAINERS: Update Vikash Garodia's email address 2025-09-09 15:59:20 +02:00
.pylintrc docs: add a .pylintrc file with sys path for docs scripts 2025-04-09 12:10:33 -06:00
.rustfmt.toml
COPYING
CREDITS Kbuild updates for v6.17 2025-08-06 07:32:52 +03:00
Kbuild drm: ensure drm headers are self-contained and pass kernel-doc 2025-02-12 10:44:43 +02:00
Kconfig io_uring: Rename KConfig to Kconfig 2025-02-19 14:53:27 -07:00
MAINTAINERS MAINTAINERS: Update Vikash Garodia's email address 2025-09-09 15:59:20 +02:00
Makefile Linux 6.17-rc1 2025-08-10 19:41:16 +03:00
README README: Fix spelling 2024-03-18 03:36:32 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the reStructuredText markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.