media: vidtv: move kfree(dvb) to vidtv_bridge_dev_release()

Adding kfree(dvb) to vidtv_bridge_remove() will remove the memory too soon: if an application still has an open filehandle to the device when the driver is unloaded, then when that filehandle is closed, a use-after-free access takes place to the freed memory. Move the kfree(dvb) to vidtv_bridge_dev_release() instead. Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Fixes: 76e21bb ("media: vidtv: Fix memory leak in remove") Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
mariux64 · Oct 19, 2021 · 112024a · 112024a
1 parent fe47b6d
commit 112024a
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
@@ -557,14 +557,17 @@ static int vidtv_bridge_remove(struct platform_device *pdev)
 	dvb_dmxdev_release(&dvb->dmx_dev);
 	dvb_dmx_release(&dvb->demux);
 	dvb_unregister_adapter(&dvb->adapter);
-	kfree(dvb);
 	dev_info(&pdev->dev, "Successfully removed vidtv\n");
 
 	return 0;
 }
 
 static void vidtv_bridge_dev_release(struct device *dev)
 {
+	struct vidtv_dvb *dvb;
+
+	dvb = dev_get_drvdata(dev);
+	kfree(dvb);
 }
 
 static struct platform_device vidtv_bridge_dev = {