media: dvbdev: adopts refcnt to avoid UAF (6d18b44b) · Commits · CodeLinaro / la / kernel / msm

Commit 6d18b44b authored 2 years ago by Lin Ma Committed by Greg Kroah-Hartman 2 years ago

media: dvbdev: adopts refcnt to avoid UAF

[ Upstream commit 0fc044b2 ]

dvb_unregister_device() is known that prone to use-after-free.
That is, the cleanup from dvb_unregister_device() releases the dvb_device
even if there are pointers stored in file->private_data still refer to it.

This patch adds a reference counter into struct dvb_device and delays its
deallocation until no pointer refers to the object.

Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn


Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 438a4a8d

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 44 additions and 23 deletions

Please register or to comment