On 06/15/2016 02:15 PM, Max Kellermann wrote: > Don't free the object until the file handle has been closed. Fixes > use-after-free bug which occurs when I disconnect my DVB-S received > while VDR is running. Which file handle? /dev/dvb--- There seems to be a problem in the driver release routine: dvb_ca_en50221_release() routine: kfree(ca->slot_info); dvb_unregister_device(ca->dvbdev); kfree(ca); I think this should be since ioctl references slot info dvb_unregister_device(ca->dvbdev); kfree(ca->slot_info); kfree(ca); I think dvb_ca_en50221_release() and dvb_ca_en50221_io_do_ioctl() should serialize access to ca. dvb_ca_en50221_io_do_ioctl() holds the ioctl_mutex, however, dvb_ca_en50221_release() could happen while ioctl is in progress. Maybe you can try fixing those first. As I mentioned in my review on your 3/3 patch, adding a kref here adds more refcounted objects to the mix. You want to avoid that. thanks, -- Shuah -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
