Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1670026pxj; Sun, 9 May 2021 01:27:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzKXCcqt/FsYL9IJzh8aNBthnJrUhPs+qDTEMpVYA9WhZM7L2EQ1asmDjHSfdCMKeNZIc3m X-Received: by 2002:a6b:6013:: with SMTP id r19mr14219025iog.208.1620548834655; Sun, 09 May 2021 01:27:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620548834; cv=none; d=google.com; s=arc-20160816; b=FzBcQ9u4rTtx1GOZrjCq3BvsR5UbKUyz4sL9JJPI1VZ9uamYJ3ZhSrBVNJQvmNlXFQ QpPuVf46Qk5v16K68FpdRofiYHzVMbQVnZIDyUDxzSZR4mWfJL5fxn01RlprfajTsFwh FJXovVAryePphyEUgeIi0gmc4zrl2mjdG0HkJ3pJ5vo7u0BvXPBwnG6yVKOu1u8kKDHv Emvlz/fVMoH+qaNGK3JzuC2askN83j2o1oPSK9FM7GQQMJIW2PEiR1eT7Mw33MYvAd56 s3f/Bq9KWch5IEByM3aKnunAUiAKaWeN5f90YyA2pmZCu0KdHz2qNLK9g1RktmIzr2Jn faaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=GCQNYVBiRrAYzt6P+dgqDmO7mYx+FOosgyHkV+nlvPM=; b=LOWFlYYtp/JDa4VPS+gdENZ8T/k5JG2GEoxho0oLP//i/nXrbN4ZLbCjWl3VwZs3A+ g+K/PQDlq5uYVP9uqvvEeCRuPGSkhg7EGSmRyHKqE4ehDtIEF11Mpv6vmg6uSOr/v05n Ggn548IeZtNK32usBjrmIgJW7fj7IakmIDXyFNPEpVByQCc+gbzMJIS2vKk9XntOJBaO xFxsz8BGpDyMiyyEmKEDBYy2j5bB68M4607r91LGmBdc/iKcvAGr8M4f3NmiBvq+pMll MM4HejGhE8mgbXQ+DvdVZCmq1p8kHuTZLdWf+bbQflih+859dj0/L6qFglGS0Pzyp3mh fQaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mail.ustc.edu.cn header.s=dkim header.b=nQLktWOY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b11si7543875jat.114.2021.05.09.01.27.01; Sun, 09 May 2021 01:27:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mail.ustc.edu.cn header.s=dkim header.b=nQLktWOY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mail.ustc.edu.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229683AbhEIIZK (ORCPT + 99 others); Sun, 9 May 2021 04:25:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36518 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229585AbhEIIZJ (ORCPT ); Sun, 9 May 2021 04:25:09 -0400 Received: from ustc.edu.cn (email6.ustc.edu.cn [IPv6:2001:da8:d800::8]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 46E3BC061573; Sun, 9 May 2021 01:24:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.ustc.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date: Message-Id:MIME-Version:Content-Transfer-Encoding; bh=GCQNYVBiRr AYzt6P+dgqDmO7mYx+FOosgyHkV+nlvPM=; b=nQLktWOYuCsov1+gSL3IsPKwc0 La06m811bkcGPXQ41eTK3bU5Ig1BBLKHpkKNa/P+tjkHPkpf5WFhAinnRSjc8U1e jBEyysYHhSz0tvYehV8JtK53zSJO6LamqU8/FeYmhj1wq9TswHhIzaH1JaSsuDbf ksWc9SLgCKUm8ZXlE= Received: from ubuntu.localdomain (unknown [202.38.69.14]) by newmailweb.ustc.edu.cn (Coremail) with SMTP id LkAmygCXnkYknJdgUSmsAA--.2211S4; Sun, 09 May 2021 16:24:04 +0800 (CST) From: Lv Yunlong To: mchehab@kernel.org, s.nawrocki@samsung.com Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, Lv Yunlong Subject: [PATCH] media:v4l2-core: Avoid the dangling pointer in v4l2_fh_release Date: Sun, 9 May 2021 01:24:02 -0700 Message-Id: <20210509082402.4660-1-lyl2019@mail.ustc.edu.cn> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: LkAmygCXnkYknJdgUSmsAA--.2211S4 X-Coremail-Antispam: 1UD129KBjvdXoWrKF17tr4xAr45GFy8Cr15urg_yoW3XFb_u3 WxCF97Wry8tr4Uta4jv34fA34FqrZ8ZryfWFy3ta9xKFyUC3W0gFZrZrnYyws7W3W8KF98 Ar1DXr1UAFn7CjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbV8FF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Cr0_ Gr1UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s 0DM2vYz4IE04k24VAvwVAKI4IrM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI 64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8Jw Am72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAG YxC7MxkIecxEwVAFwVW8ZwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8Jw C20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAF wI0_JF0_Jw1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjx v20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6rWUJVWrZr1UMIIF0xvE x4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvj DU0xZFpf9x0JU9vtAUUUUU= X-CM-SenderInfo: ho1ojiyrz6zt1loo32lwfovvfxof0/ Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A use after free bug caused by the dangling pointer filp->privitate_data in v4l2_fh_release. See https://lore.kernel.org/patchwork/patch/1419058/. My patch sets the dangling pointer to NULL to provide robust. Signed-off-by: Lv Yunlong --- drivers/media/v4l2-core/v4l2-fh.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/v4l2-core/v4l2-fh.c b/drivers/media/v4l2-core/v4l2-fh.c index 684574f58e82..90eec79ee995 100644 --- a/drivers/media/v4l2-core/v4l2-fh.c +++ b/drivers/media/v4l2-core/v4l2-fh.c @@ -96,6 +96,7 @@ int v4l2_fh_release(struct file *filp) v4l2_fh_del(fh); v4l2_fh_exit(fh); kfree(fh); + filp->private_data = NULL; } return 0; } -- 2.25.1