[lvc-project] [PATCH RESEND] media: dvb-core: fix dvb device instance leak
Dmitry Antipov
dmantipov at yandex.ru
Wed Jul 1 10:03:49 MSK 2026
After 'replace_fops()' trick in 'dvb_device_open()', reference count
of the corresponding 'struct dvb_device' instance can't be managed in
a regular way (e.g. by using 'dvd_device_put()' in '.release' callback
of 'dvb_device_ops'). Since there is a race condition between
'dvb_dmxdev_release()' and 'dvb_demux_release()' (there is no way to
guarantee that the former always sees non-zero 'exit' flag maybe set
by the latter), an extra check for non-zero 'minor' field of 'struct
dvb_device' is used to ensure that the device has passed through
'dvb_register_device()', has reference count more or equal to 2 and
call to 'dvb_device_put()' from 'dvb_demux_release()' never actually
frees the device (with 'dvb_free_device()' called via 'kref_put()').
Reported-by: syzbot+d37184d9d8cc34602616 at syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d37184d9d8cc34602616
Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
---
This is a resend of https://lore.kernel.org/all/20260216154152.2597331-1-dmantipov@yandex.ru/T.
Since 6.12.x looks affected, cc: stable as well.
---
drivers/media/dvb-core/dmxdev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/dvb-core/dmxdev.c b/drivers/media/dvb-core/dmxdev.c
index 3c8bc75e4d6c..c33490acba15 100644
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -1256,6 +1256,9 @@ static int dvb_demux_release(struct inode *inode, struct file *file)
} else
mutex_unlock(&dmxdev->mutex);
+ if (dmxdev->dvbdev->minor)
+ dvb_device_put(dmxdev->dvbdev);
+
return ret;
}
--
2.54.0
More information about the lvc-project
mailing list