[PATCH] media: dvb-core: fix use-after-free in dvb_device_open() error path

[PATCH] media: dvb-core: fix use-after-free in dvb_device_open() error path

[Sameeksha Sankpal]

syzbot reported a slab-use-after-free in dvb_device_put() triggered when
opening a DVB device fails during the device-specific ->open() callback.

The root cause is a reference counting imbalance in dvb_device_open().
The code assigns a dvb_device pointer to file->private_data after calling
dvb_device_get(), but if the subsequent ->open() call fails, the error path
drops the reference with dvb_device_put() and returns an error.

However, the VFS layer will still call ->release() on the file, and
dvb_device_release() will call dvb_device_put() again on
file->private_data. Since the earlier put() already freed the device,
the release() path ends up operating on freed memory, leading to a
use-after-free.

Fix this by explicitly taking a reference for the file descriptor and
letting the ->release() method drop it, while the error path only drops
the reference acquired for the open logic. This ensures that the device
remains alive until VFS calls ->release(), regardless of ->open() failure.

Reported-by: syzbot+d445a71e1c011b592c16@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d445a71e1c011b592c16
Signed-off-by: Sameeksha Sankpal <sameekshasankpal@gmail.com>
---
 drivers/media/dvb-core/dvbdev.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
index 9df7c213716a..7fdc21a770a3 100644
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -103,7 +103,8 @@ static int dvb_device_open(struct inode *inode, struct file *file)
 		new_fops = fops_get(dvbdev->fops);
 		if (!new_fops)
 			goto fail;
-		file->private_data = dvb_device_get(dvbdev);
+		dvb_device_get(dvbdev);
+		file->private_data = dvbdev;
 		replace_fops(file, new_fops);
 		if (file->f_op->open)
 			err = file->f_op->open(inode, file);
-- 
2.43.0