* [PATCH] vidtv: move kfree(dvb) to vidtv_bridge_dev_release()
@ 2021-09-14 7:21 Hans Verkuil
0 siblings, 0 replies; only message in thread
From: Hans Verkuil @ 2021-09-14 7:21 UTC (permalink / raw)
To: Linux Media Mailing List; +Cc: Daniel W. S. Almeida
Adding kfree(dvb) to vidtv_bridge_remove() will remove the memory
too soon: if an application still has an open filehandle to the device
when the driver is unloaded, then when that filehandle is closed, a
use-after-free access takes place to the freed memory.
Move the kfree(dvb) to vidtv_bridge_dev_release() instead.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: 28bcf7de1bfd ("media: vidtv: Fix memory leak in remove")
---
diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
index 0f6d998d18dc..82620613d56b 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
@@ -557,7 +557,6 @@ static int vidtv_bridge_remove(struct platform_device *pdev)
dvb_dmxdev_release(&dvb->dmx_dev);
dvb_dmx_release(&dvb->demux);
dvb_unregister_adapter(&dvb->adapter);
- kfree(dvb);
dev_info(&pdev->dev, "Successfully removed vidtv\n");
return 0;
@@ -565,6 +564,10 @@ static int vidtv_bridge_remove(struct platform_device *pdev)
static void vidtv_bridge_dev_release(struct device *dev)
{
+ struct vidtv_dvb *dvb;
+
+ dvb = dev_get_drvdata(dev);
+ kfree(dvb);
}
static struct platform_device vidtv_bridge_dev = {
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-09-14 7:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-14 7:21 [PATCH] vidtv: move kfree(dvb) to vidtv_bridge_dev_release() Hans Verkuil
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).