media: dvbdev: adopts refcnt to avoid UAF

dvb_unregister_device() is known that prone to use-after-free. That is, the cleanup from dvb_unregister_device() releases the dvb_device even if there are pointers stored in file->private_data still refer to it. This patch adds a reference counter into struct dvb_device and delays its deallocation until no pointer refers to the object. Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn Signed-off-by: Lin Ma <linma@zju.edu.cn> Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
author: Lin Ma <linma@zju.edu.cn> 2022-08-07 15:59:52 +0100
committer: Mauro Carvalho Chehab <mchehab@kernel.org> 2022-11-25 10:08:23 +0000
commit: 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 (patch)
tree: bbf176c361eb5d46f8b79d923239f42363c5ba9a /drivers/media/dvb-core/dvb_ca_en50221.c
parent: 9b7de3c2daf503f86ab0641f377402b8d7f5e485 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
index 15a08d8c69ef..c2d2792227f8 100644
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -157,7 +157,7 @@ static void dvb_ca_private_free(struct dvb_ca_private *ca)
 {
 	unsigned int i;
 
-	dvb_free_device(ca->dvbdev);
+	dvb_device_put(ca->dvbdev);
 	for (i = 0; i < ca->slot_count; i++)
 		vfree(ca->slot_info[i].rx_buffer.data);
author	Lin Ma <linma@zju.edu.cn>	2022-08-07 15:59:52 +0100
committer	Mauro Carvalho Chehab <mchehab@kernel.org>	2022-11-25 10:08:23 +0000
commit	0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 (patch)
tree	bbf176c361eb5d46f8b79d923239f42363c5ba9a /drivers/media/dvb-core/dvb_ca_en50221.c
parent	9b7de3c2daf503f86ab0641f377402b8d7f5e485 (diff)