diff options
| author | Hans Verkuil <hverkuil-cisco@xs4all.nl> | 2021-09-14 10:21:25 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-11-17 13:04:51 +0300 |
| commit | 4f2bf4fe6c0d4100763753fb7bb2635ee96825a6 (patch) | |
| tree | 2b34913d8c148b89aa973ab753fc5c8da24cbbd6 | |
| parent | af09862cb5661cfdedd114ae50c7aaed94bd185a (diff) | |
| download | linux-4f2bf4fe6c0d4100763753fb7bb2635ee96825a6.tar.xz | |
media: vidtv: move kfree(dvb) to vidtv_bridge_dev_release()
commit 112024a3b6dcfc62ec36ea0cf58b897f2ce54c59 upstream.
Adding kfree(dvb) to vidtv_bridge_remove() will remove the memory
too soon: if an application still has an open filehandle to the device
when the driver is unloaded, then when that filehandle is closed, a
use-after-free access takes place to the freed memory.
Move the kfree(dvb) to vidtv_bridge_dev_release() instead.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: 76e21bb8be4f ("media: vidtv: Fix memory leak in remove")
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/media/test-drivers/vidtv/vidtv_bridge.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c index 0f6d998d18dc..82620613d56b 100644 --- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c +++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c @@ -557,7 +557,6 @@ static int vidtv_bridge_remove(struct platform_device *pdev) dvb_dmxdev_release(&dvb->dmx_dev); dvb_dmx_release(&dvb->demux); dvb_unregister_adapter(&dvb->adapter); - kfree(dvb); dev_info(&pdev->dev, "Successfully removed vidtv\n"); return 0; @@ -565,6 +564,10 @@ static int vidtv_bridge_remove(struct platform_device *pdev) static void vidtv_bridge_dev_release(struct device *dev) { + struct vidtv_dvb *dvb; + + dvb = dev_get_drvdata(dev); + kfree(dvb); } static struct platform_device vidtv_bridge_dev = { |