[git:media_tree/master] media: v4l2-core: fix a use-after-free bug of sd->devnode

* [git:media_tree/master] media: v4l2-core: fix a use-after-free bug of sd->devnode
@ 2020-03-05 21:44 Mauro Carvalho Chehab
  0 siblings, 0 replies; only message in thread
From: Mauro Carvalho Chehab @ 2020-03-05 21:44 UTC (permalink / raw)
  To: linuxtv-commits; +Cc: Dafna Hirschfeld, Ezequiel Garcia, stable, Hans Verkuil

This is an automatic generated email to let you know that the following patch were queued:

Subject: media: v4l2-core: fix a use-after-free bug of sd->devnode
Author:  Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
Date:    Wed Feb 19 16:25:54 2020 +0100

sd->devnode is released after calling
v4l2_subdev_release. Therefore it should be set
to NULL so that the subdev won't hold a pointer
to a released object. This fixes a reference
after free bug in function
v4l2_device_unregister_subdev

Fixes: 0e43734d4c46e ("media: v4l2-subdev: add release() internal op")

Cc: stable@vger.kernel.org
Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
Reviewed-by: Ezequiel Garcia <ezequiel@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

 drivers/media/v4l2-core/v4l2-device.c | 1 +
 1 file changed, 1 insertion(+)

---

diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c
index 63d6b147b21e..41da73ce2e98 100644
--- a/drivers/media/v4l2-core/v4l2-device.c
+++ b/drivers/media/v4l2-core/v4l2-device.c
@@ -179,6 +179,7 @@ static void v4l2_subdev_release(struct v4l2_subdev *sd)
 
 	if (sd->internal_ops && sd->internal_ops->release)
 		sd->internal_ops->release(sd);
+	sd->devnode = NULL;
 	module_put(owner);
 }
 

^ permalink raw reply related	[flat|nested] only message in thread