aboutsummaryrefslogtreecommitdiff
path: root/tools/testing/selftests/bpf/prog_tests/autoload.c
diff options
context:
space:
mode:
authorHyunwoo Kim <imv4bel@gmail.com>2022-11-17 04:59:24 +0000
committerMauro Carvalho Chehab <mchehab@kernel.org>2023-05-14 06:30:58 +0100
commit627bb528b086b4136315c25d6a447a98ea9448d3 (patch)
tree47b999d037e43720c4cf1bfed135c88f118e393f /tools/testing/selftests/bpf/prog_tests/autoload.c
parent4172385b0c9ac366dcab78eda48c26814b87ed1a (diff)
media: dvb-core: Fix use-after-free due to race at dvb_register_device()
dvb_register_device() dynamically allocates fops with kmemdup() to set the fops->owner. And these fops are registered in 'file->f_ops' using replace_fops() in the dvb_device_open() process, and kfree()d in dvb_free_device(). However, it is not common to use dynamically allocated fops instead of 'static const' fops as an argument of replace_fops(), and UAF may occur. These UAFs can occur on any dvb type using dvb_register_device(), such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc. So, instead of kfree() the fops dynamically allocated in dvb_register_device() in dvb_free_device() called during the .disconnect() process, kfree() it collectively in exit_dvbdev() called when the dvbdev.c module is removed. Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Diffstat (limited to 'tools/testing/selftests/bpf/prog_tests/autoload.c')
0 files changed, 0 insertions, 0 deletions
Powered by cgit, Gruvboxed by Blaster4385.