[PATCH] media: dvb-core: pin frontend device through release

From: Yousef Alhouseen

Date: Sun Jun 28 2026 - 05:44:11 EST


dvb_generic_release() drops the reference held by the open file. Device
unregistration may already have dropped the registration reference, in
which case the call frees dvbdev. dvb_frontend_release() nevertheless
continues to inspect its user count, wait queue, media entity and private
frontend after that call, causing a use-after-free.

Take a temporary device reference around the generic release and the
remaining frontend shutdown work.

Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
Reported-by: syzbot+ae466a728017ec940b41@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/media/dvb-core/dvb_frontend.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
index 7aebaef18191..1276fe704675 100644
--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -2912,6 +2912,7 @@ static int dvb_frontend_release(struct inode *inode, struct file *file)
mb();
}

+ dvb_device_get(dvbdev);
ret = dvb_generic_release(inode, file);

if (dvbdev->users == -1) {
@@ -2933,6 +2934,7 @@ static int dvb_frontend_release(struct inode *inode, struct file *file)
}

dvb_frontend_put(fe);
+ dvb_device_put(dvbdev);

return ret;
}
--
2.54.0