review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Lin Ma <linma@zju.edu.cn>
	Sun, 7 Aug 2022 14:59:52 +0000 (15:59 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 31 Dec 2022 12:14:43 +0000 (13:14 +0100)
commit	88a6f8a72d167294c0931c7874941bf37a41b6dd
tree	a18f72e4418c6706b2670af863cf74a7f3452150	tree \| snapshot
parent	438cd29fec3ea09769639f6032687e0c1434dbe0	commit \| diff

media: dvbdev: adopts refcnt to avoid UAF

[ Upstream commit 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 ]

dvb_unregister_device() is known that prone to use-after-free.
That is, the cleanup from dvb_unregister_device() releases the dvb_device
even if there are pointers stored in file->private_data still refer to it.

This patch adds a reference counter into struct dvb_device and delays its
deallocation until no pointer refers to the object.

Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/media/dvb-core/dvb_ca_en50221.c		diff \| blob \| history
drivers/media/dvb-core/dvb_frontend.c		diff \| blob \| history
drivers/media/dvb-core/dvbdev.c		diff \| blob \| history
include/media/dvbdev.h		diff \| blob \| history