git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Hyunwoo Kim <imv4bel@gmail.com>
	Thu, 17 Nov 2022 04:59:23 +0000 (04:59 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 9 Jun 2023 08:28:57 +0000 (10:28 +0200)
commit	ed47886a73dbc0477ae09a4a979e27317cf2b52d
tree	ccafcbe0a673c43452837a929f2a786238278af1	tree \| snapshot
parent	e9033a425ab277b611a049bab333d122d94461e1	commit \| diff

media: dvb-core: Fix use-after-free due on race condition at dvb_net

[ Upstream commit 4172385b0c9ac366dcab78eda48c26814b87ed1a ]

A race condition may occur between the .disconnect function, which
is called when the device is disconnected, and the dvb_device_open()
function, which is called when the device node is open()ed.
This results in several types of UAFs.

The root cause of this is that you use the dvb_device_open() function,
which does not implement a conditional statement
that checks 'dvbnet->exit'.

So, add 'remove_mutex` to protect 'dvbnet->exit' and use
locked_dvb_net_open() function to check 'dvbnet->exit'.

[mchehab: fix a checkpatch warning]

Link: https://lore.kernel.org/linux-media/20221117045925.14297-3-imv4bel@gmail.com
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

drivers/media/dvb-core/dvb_net.c		diff \| blob \| blame \| history
include/media/dvb_net.h		diff \| blob \| blame \| history