media: cx231xx: fix use-after-free when unregistering the i2c_client for the dvb demod

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Calling i2c_unregister_device for a demod driver destroys the frontend object.
Later it is accessed by calling dvb_unregister_frontend and
dvb_frontend_detach.

In some cases this leads to a general protection fault with this
callstack:

dvb_unregister_frontend+0x25/0x50 [dvb_core]
dvb_fini+0xdb/0x160 [cx231xx_dvb]
cx231xx_unregister_extension+0x3d/0xb0 [cx231xx]
cx231xx_dvb_unregister+0x10/0x809 [cx231xx_dvb]
SyS_delete_module+0x18a/0x240
? exit_to_usermode_loop+0x7b/0x80
entry_SYSCALL_64_fastpath+0x17/0x98

Signed-off-by: Matthias Schwarzott <zzam@gentoo.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

authored by

Matthias Schwarzott and committed by

Mauro Carvalho Chehab 8 years ago e59eb4ad 412b16d6

+3 -3

1 changed file

expand all

drivers

media

usb

cx231xx

cx231xx-dvb.c

+3 -3

drivers/media/usb/cx231xx/cx231xx-dvb.c

··· 585 585 dvb->demux.dmx.remove_frontend(&dvb->demux.dmx, &dvb->fe_hw); 586 586 dvb_dmxdev_release(&dvb->dmxdev); 587 587 dvb_dmx_release(&dvb->demux); 588 + dvb_unregister_frontend(dvb->frontend); 589 + dvb_frontend_detach(dvb->frontend); 590 + dvb_unregister_adapter(&dvb->adapter); 588 591 /* remove I2C tuner */ 589 592 client = dvb->i2c_client_tuner; 590 593 if (client) { ··· 600 597 module_put(client->dev.driver->owner); 601 598 i2c_unregister_device(client); 602 599 } 603 - dvb_unregister_frontend(dvb->frontend); 604 - dvb_frontend_detach(dvb->frontend); 605 - dvb_unregister_adapter(&dvb->adapter); 606 600 } 607 601 608 602 static int dvb_init(struct cx231xx *dev)