linux-sg2042/include/media
Hyunwoo Kim 4a8ecfb220 media: dvb-core: Fix use-after-free due to race at dvb_register_device()
[ Upstream commit 627bb528b0 ]

dvb_register_device() dynamically allocates fops with kmemdup()
to set the fops->owner.
And these fops are registered in 'file->f_ops' using replace_fops()
in the dvb_device_open() process, and kfree()d in dvb_free_device().

However, it is not common to use dynamically allocated fops instead
of 'static const' fops as an argument of replace_fops(),
and UAF may occur.
These UAFs can occur on any dvb type using dvb_register_device(),
such as dvb_dvr, dvb_demux, dvb_frontend, dvb_net, etc.

So, instead of kfree() the fops dynamically allocated in
dvb_register_device() in dvb_free_device() called during the
.disconnect() process, kfree() it collectively in exit_dvbdev()
called when the dvbdev.c module is removed.

Link: https://lore.kernel.org/linux-media/20221117045925.14297-4-imv4bel@gmail.com
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-06-09 10:34:12 +02:00
..
davinci media: davinci: deprecate dm644x_ccdc, dm355_cddc and dm365_isif 2022-08-29 16:45:34 +02:00
drv-intf media: saa7146: deprecate hexium_gemini/orion, mxb and ttpci 2022-08-29 16:46:38 +02:00
i2c media: cx88: add IR remote support for NotOnlyTV LV3H 2022-09-24 11:21:43 +02:00
tpg media: v4l2-tpg: add HDMI Video Guard Band test pattern 2022-06-20 10:30:30 +01:00
cec-notifier.h Update rmk's email address in various drivers 2020-04-21 17:50:09 +01:00
cec-pin.h media: cec-gpio: handle gpiod_get_value errors correctly 2020-04-29 12:04:38 +02:00
cec.h media: cec-adap.c: drop activate_cnt, use state info instead 2022-05-13 11:29:39 +02:00
demux.h media: dvb: update buffer mmaped flags and frame counter 2018-02-23 11:44:08 -05:00
dmxdev.h media: dmxdev: drop unneeded <linux/kernel.h> inclusion from other headers 2021-12-14 16:19:04 +01:00
dvb-usb-ids.h media: dvb-usb: dib0700_devices: use an enum for the device number 2022-04-18 07:36:44 +02:00
dvb_ca_en50221.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_demux.h media: dvb: update buffer mmaped flags and frame counter 2018-02-23 11:44:08 -05:00
dvb_frontend.h media: media dvb_frontend: add suspend and resume callbacks to dvb_frontend_ops 2021-11-19 15:57:22 +00:00
dvb_math.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_net.h media: dvb-core: Fix use-after-free due on race condition at dvb_net 2023-06-09 10:34:12 +02:00
dvb_ringbuffer.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_vb2.h media: dvb: update buffer mmaped flags and frame counter 2018-02-23 11:44:08 -05:00
dvbdev.h media: dvb-core: Fix use-after-free due to race at dvb_register_device() 2023-06-09 10:34:12 +02:00
frame_vector.h media: videobuf2: Move frame_vector into media subsystem 2021-01-12 14:15:31 +01:00
imx.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
media-dev-allocator.h media: Fix Media Controller API config checks 2021-06-24 14:26:00 +02:00
media-device.h media: mc: entity: Merge media_entity_enum_init and __media_entity_enum_init 2022-09-24 09:10:38 +02:00
media-devnode.h media: media-devnode.h: drop duplicated word in comment 2020-07-19 14:00:12 +02:00
media-entity.h media: mc: convert pipeline funcs to take media_pad 2022-09-24 09:22:30 +02:00
media-request.h media: media requests: return EBADR instead of EACCES 2019-03-25 13:26:10 -04:00
mipi-csi2.h media: Add MIPI CSI-2 28 bits per pixel raw data type 2022-05-17 09:17:26 +02:00
rc-core.h media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
rc-map.h media: rc: add keymap for Toshiba CT-90405 remote 2021-06-08 15:56:58 +02:00
rcar-fcp.h media: rcar-fcp: convert to SPDX identifiers 2018-09-12 09:29:03 -04:00
tuner-types.h media: tuner-types: add kernel-doc markups for struct tunertype 2017-12-18 09:06:40 -05:00
tuner.h Linux 5.15-rc4 2021-10-04 07:52:13 +02:00
tveeprom.h
v4l2-async.h media: v4l2-async: Add notifier operation to destroy asd instances 2022-07-17 11:20:08 +01:00
v4l2-common.h media fixes for v6.1-rc2 2022-10-22 15:30:15 -07:00
v4l2-ctrls.h media: v4l2-ctrls: drop 'elems' argument from control type ops. 2022-09-24 08:49:06 +02:00
v4l2-dev.h media: mc: convert pipeline funcs to take media_pad 2022-09-24 09:22:30 +02:00
v4l2-device.h media: fix kernel-doc markups 2020-11-16 10:31:16 +01:00
v4l2-dv-timings.h media: fix kernel-doc markups 2020-11-16 10:31:16 +01:00
v4l2-event.h media: v4l2-dev/event: add v4l2_event_wake_all() 2021-01-04 13:14:25 +01:00
v4l2-fh.h media: v4l2-fh: define v4l2_fh struct regardless of condition 2020-04-21 13:40:06 +02:00
v4l2-flash-led-class.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
v4l2-fwnode.h media: Remove incorrect comment from struct v4l2_fwnode_endpoint 2022-09-24 09:06:49 +02:00
v4l2-h264.h media: h264: Sort p/b reflist using frame_num 2022-05-17 10:02:29 +02:00
v4l2-image-sizes.h media: v4l2-image-sizes: add HD and Full-HD definitions 2020-04-21 17:21:51 +02:00
v4l2-ioctl.h media: v4l2: prepare compat-ioctl rework 2020-11-16 10:31:05 +01:00
v4l2-jpeg.h media: Add parsing for APP14 data segment in jpeg helpers 2021-03-22 10:35:36 +01:00
v4l2-mc.h media: v4l2-mc: Add link flags to v4l2_create_fwnode_links_to_pad() 2021-03-11 11:59:52 +01:00
v4l2-mediabus.h media: media/v4l2-core: Add enum V4L2_FWNODE_BUS_TYPE_DPI 2022-05-17 09:09:59 +02:00
v4l2-mem2mem.h media: media/v4l2-mem2mem.h: rename 'videobuf' to 'vb2' 2022-08-29 15:47:03 +02:00
v4l2-rect.h media: v4l2-rect.h: add enclosed rectangle helper 2020-07-04 12:29:38 +02:00
v4l2-subdev.h media: subdev: increase V4L2_FRAME_DESC_ENTRY_MAX to 8 2022-09-24 09:08:28 +02:00
v4l2-uvc.h media: uvcvideo: Add GUID for BGRA/X 8:8:8:8 2023-03-11 13:55:35 +01:00
v4l2-vp9.h media: Add VP9 v4l2 library 2021-11-22 07:47:13 +00:00
videobuf-core.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 237 2019-06-19 17:09:07 +02:00
videobuf-dma-contig.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 237 2019-06-19 17:09:07 +02:00
videobuf-dma-sg.h media: videobuf-dma-sg: number of pages should be unsigned long 2020-09-03 11:12:20 +02:00
videobuf-vmalloc.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 237 2019-06-19 17:09:07 +02:00
videobuf2-core.h media: vb2: videobuf -> videobuf2 2022-08-29 15:38:09 +02:00
videobuf2-dma-contig.h media: videobuf2-dma-contig: fix bad kfree in vb2_dma_contig_clear_max_seg_size 2020-06-11 19:20:55 +02:00
videobuf2-dma-sg.h media: Change Andrzej Pietrasiewicz's e-mail address 2019-01-16 11:21:07 -05:00
videobuf2-dvb.h media: vb2: videobuf -> videobuf2 2022-08-29 15:38:09 +02:00
videobuf2-memops.h media: videobuf2-vmalloc: get_userptr: buffers are always writable 2019-05-29 08:05:58 -04:00
videobuf2-v4l2.h media: videobuf2: Remove vb2_find_timestamp() 2022-08-30 14:44:45 +02:00
videobuf2-vmalloc.h
vsp1.h media: vsp1: Add premultiplied alpha support 2022-09-07 23:48:39 +03:00