From: Sameeksha Sankpal <sameekshasankpal@gmail.com>
To: mchehab@kernel.org
Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
Sameeksha Sankpal <sameekshasankpal@gmail.com>,
syzbot+d445a71e1c011b592c16@syzkaller.appspotmail.com
Subject: [PATCH] media: dvb-core: fix use-after-free in dvb_device_open() error path
Date: Sat, 22 Nov 2025 11:42:25 +0530 [thread overview]
Message-ID: <20251122061225.47432-1-sameekshasankpal@gmail.com> (raw)
syzbot reported a slab-use-after-free in dvb_device_put() triggered when
opening a DVB device fails during the device-specific ->open() callback.
The root cause is a reference counting imbalance in dvb_device_open().
The code assigns a dvb_device pointer to file->private_data after calling
dvb_device_get(), but if the subsequent ->open() call fails, the error path
drops the reference with dvb_device_put() and returns an error.
However, the VFS layer will still call ->release() on the file, and
dvb_device_release() will call dvb_device_put() again on
file->private_data. Since the earlier put() already freed the device,
the release() path ends up operating on freed memory, leading to a
use-after-free.
Fix this by explicitly taking a reference for the file descriptor and
letting the ->release() method drop it, while the error path only drops
the reference acquired for the open logic. This ensures that the device
remains alive until VFS calls ->release(), regardless of ->open() failure.
Reported-by: syzbot+d445a71e1c011b592c16@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d445a71e1c011b592c16
Signed-off-by: Sameeksha Sankpal <sameekshasankpal@gmail.com>
---
drivers/media/dvb-core/dvbdev.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
index 9df7c213716a..7fdc21a770a3 100644
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -103,7 +103,8 @@ static int dvb_device_open(struct inode *inode, struct file *file)
new_fops = fops_get(dvbdev->fops);
if (!new_fops)
goto fail;
- file->private_data = dvb_device_get(dvbdev);
+ dvb_device_get(dvbdev);
+ file->private_data = dvbdev;
replace_fops(file, new_fops);
if (file->f_op->open)
err = file->f_op->open(inode, file);
--
2.43.0
reply other threads:[~2025-11-22 6:12 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251122061225.47432-1-sameekshasankpal@gmail.com \
--to=sameekshasankpal@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=syzbot+d445a71e1c011b592c16@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.