git.baikalelectronics.ru Git - kernel.git/commit

author	Lin Ma <linma@zju.edu.cn>
	Sun, 7 Aug 2022 14:59:52 +0000 (15:59 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 18 Jan 2023 10:41:37 +0000 (11:41 +0100)
commit	18f89663fcd8676d4670e9a3331ae07f86f6b222
tree	bb24298d193ce7fa67cab935ed7a750dc770d9db	tree \| snapshot
parent	60dd295cb24a05511fe7ff80bcb3a75edf01aef8	commit \| diff

media: dvbdev: adopts refcnt to avoid UAF

[ Upstream commit a7bbea26d6b6d04b2c42932a0e2f957ec1d34e3d ]

dvb_unregister_device() is known that prone to use-after-free.
That is, the cleanup from dvb_unregister_device() releases the dvb_device
even if there are pointers stored in file->private_data still refer to it.

This patch adds a reference counter into struct dvb_device and delays its
deallocation until no pointer refers to the object.

Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/media/dvb-core/dvb_ca_en50221.c		diff \| blob \| history
drivers/media/dvb-core/dvb_frontend.c		diff \| blob \| history
drivers/media/dvb-core/dvbdev.c		diff \| blob \| history
include/media/dvbdev.h		diff \| blob \| history