git.baikalelectronics.ru Git - kernel.git/commit

author	Lin Ma <linma@zju.edu.cn>
	Sun, 7 Aug 2022 14:59:52 +0000 (15:59 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 18 Jan 2023 10:41:37 +0000 (11:41 +0100)
commit	ca1b65f59546c16eed2b595c79d3cbe7e5a7aa26
tree	bb24298d193ce7fa67cab935ed7a750dc770d9db	tree \| snapshot
parent	d703eaa6593ec00cde81669f174ac48513057835	commit \| diff

media: dvbdev: adopts refcnt to avoid UAF

[ Upstream commit 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 ]

dvb_unregister_device() is known that prone to use-after-free.
That is, the cleanup from dvb_unregister_device() releases the dvb_device
even if there are pointers stored in file->private_data still refer to it.

This patch adds a reference counter into struct dvb_device and delays its
deallocation until no pointer refers to the object.

Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/media/dvb-core/dvb_ca_en50221.c		diff \| blob \| history
drivers/media/dvb-core/dvb_frontend.c		diff \| blob \| history
drivers/media/dvb-core/dvbdev.c		diff \| blob \| history
include/media/dvbdev.h		diff \| blob \| history