media: exynos4-is: Fix a use after free in isp_video_release
authorLv Yunlong <lyl2019@mail.ustc.edu.cn>
Sun, 9 May 2021 08:12:31 +0000 (10:12 +0200)
committerMauro Carvalho Chehab <mchehab+huawei@kernel.org>
Wed, 2 Jun 2021 11:17:24 +0000 (13:17 +0200)
commit01fe904c9afd26e79c1f73aa0ca2e3d785e5e319
tree46c828addfc416fdad2ff0ca3f67f1ce2956c417
parentf9c2fd3bb85768f35e1d2bb6b357a214db3b7817
media: exynos4-is: Fix a use after free in isp_video_release

In isp_video_release, file->private_data is freed via
_vb2_fop_release()->v4l2_fh_release(). But the freed
file->private_data is still used in v4l2_fh_is_singular_file()
->v4l2_fh_is_singular(file->private_data), which is a use
after free bug.

My patch uses a variable 'is_singular_file' to avoid the uaf.
v3: https://lore.kernel.org/patchwork/patch/1419058/

Fixes: 34947b8aebe3f ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
drivers/media/platform/exynos4-is/fimc-isp-video.c