diff options
| author | Chen Zhongjin <[email protected]> | 2022-11-08 03:30:05 +0000 |
|---|---|---|
| committer | Mauro Carvalho Chehab <[email protected]> | 2022-11-25 10:18:03 +0000 |
| commit | a574359e2e71ce16be212df3a082ed60a4bd2c5f (patch) | |
| tree | 76fa7f30d56f444283147f5e7bcce93b0485cc21 /net/lapb/lapb_timer.c | |
| parent | 0f298a4379fa7b47b0d0af8777098913ab44264d (diff) | |
media: dvb-core: Fix ignored return value in dvb_register_frontend()
In dvb_register_frontend(), dvb_register_device() is possible to fail
but its return value is ignored.
It will cause use-after-free when module is removed, because in
dvb_unregister_frontend() it tries to unregister a not registered
device.
BUG: KASAN: use-after-free in dvb_remove_device+0x18b/0x1f0 [dvb_core]
Read of size 4 at addr ffff88800dff4824 by task rmmod/428
CPU: 3 PID: 428 Comm: rmmod
Call Trace:
<TASK>
...
dvb_remove_device+0x18b/0x1f0 [dvb_core]
dvb_unregister_frontend+0x7b/0x130 [dvb_core]
vidtv_bridge_remove+0x6e/0x160 [dvb_vidtv_bridge]
...
Fix this by catching return value of dvb_register_device().
However the fe->refcount can't be put to zero immediately, because
there are still modules calling dvb_frontend_detach() when
dvb_register_frontend() fails.
Link: https://lore.kernel.org/linux-media/[email protected]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Chen Zhongjin <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Diffstat (limited to 'net/lapb/lapb_timer.c')
0 files changed, 0 insertions, 0 deletions