[PATCH] media: dvb-core: publish device minors after registration succeeds
From: Yousef Alhouseen
Date: Sun Jun 28 2026 - 06:02:09 EST
dvb_register_device() publishes dvbdev in the minor table before media
graph and class-device creation, both of which can still fail. Their error
paths then free dvbdev directly without removing the table entry or
dropping its minor reference. Opening a manually created device node can
race with or follow that failure, causing refcount corruption and
use-after-free; without an open, the minor reference is leaked.
Keep the chosen minor private until all fallible registration steps have
succeeded. On failure, release the initial reference through
dvb_device_put() rather than bypassing the kref.
Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
Reported-by: syzbot+d37184d9d8cc34602616@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=d37184d9d8cc34602616
Reported-by: syzbot+d445a71e1c011b592c16@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=d445a71e1c011b592c16
Reported-by: syzbot+2e428058cafb408fb695@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=2e428058cafb408fb695
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
drivers/media/dvb-core/dvbdev.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
index d753d329502a..ca4d61a94270 100644
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -545,7 +545,6 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
}
dvbdev->minor = minor;
- dvb_minors[minor] = dvb_device_get(dvbdev);
up_write(&minor_rwsem);
ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads);
if (ret) {
@@ -558,7 +557,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
}
dvb_media_device_free(dvbdev);
list_del(&dvbdev->list_head);
- kfree(dvbdev);
+ dvb_device_put(dvbdev);
*pdvbdev = NULL;
mutex_unlock(&dvbdev_register_lock);
return ret;
@@ -577,12 +576,16 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
}
dvb_media_device_free(dvbdev);
list_del(&dvbdev->list_head);
- kfree(dvbdev);
+ dvb_device_put(dvbdev);
*pdvbdev = NULL;
mutex_unlock(&dvbdev_register_lock);
return PTR_ERR(clsdev);
}
+ down_write(&minor_rwsem);
+ dvb_minors[minor] = dvb_device_get(dvbdev);
+ up_write(&minor_rwsem);
+
dprintk("DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n",
adap->num, dnames[type], id, minor, minor);
--
2.54.0