git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Lv Yunlong <lyl2019@mail.ustc.edu.cn>
	Sun, 9 May 2021 08:12:31 +0000 (10:12 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 20 Jul 2021 14:15:47 +0000 (16:15 +0200)
commit	b334329a212ffd9dee8429d2bef2fcfc8d701f9d
tree	9e54937a526a5e820118e72d5dcf78cb8c403727	tree
parent	65bff47cd80db4260cda82673e907079600404da	commit \| diff

media: exynos4-is: Fix a use after free in isp_video_release

[ Upstream commit 01fe904c9afd26e79c1f73aa0ca2e3d785e5e319 ]

In isp_video_release, file->private_data is freed via
_vb2_fop_release()->v4l2_fh_release(). But the freed
file->private_data is still used in v4l2_fh_is_singular_file()
->v4l2_fh_is_singular(file->private_data), which is a use
after free bug.

My patch uses a variable 'is_singular_file' to avoid the uaf.
v3: https://lore.kernel.org/patchwork/patch/1419058/

Fixes: 34947b8aebe3f ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>