media: cx231xx: fix use-after-free when unregistering the i2c_client for the dvb demod
Calling i2c_unregister_device for a demod driver destroys the frontend object.
Later it is accessed by calling dvb_unregister_frontend and
dvb_frontend_detach.
In some cases this leads to a general protection fault with this
callstack:
dvb_unregister_frontend+0x25/0x50 [dvb_core]
dvb_fini+0xdb/0x160 [cx231xx_dvb]
cx231xx_unregister_extension+0x3d/0xb0 [cx231xx]
cx231xx_dvb_unregister+0x10/0x809 [cx231xx_dvb]
SyS_delete_module+0x18a/0x240
? exit_to_usermode_loop+0x7b/0x80
entry_SYSCALL_64_fastpath+0x17/0x98
Signed-off-by: Matthias Schwarzott <zzam@gentoo.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
projects / platform / kernel / linux-exynos.git / commit