diff mbox

[media] em28xx: use after free in em28xx_v4l2_close()

Message ID 20120814065814.GB4791@elgon.mountain (mailing list archive)
State New, archived
Headers show

Commit Message

Dan Carpenter Aug. 14, 2012, 6:58 a.m. UTC 
We need to move the unlock before the kfree(dev);

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Applies to linux-next.

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Ezequiel Garcia Aug. 14, 2012, 10:50 a.m. UTC | #1 
Hi Dan,

On Tue, Aug 14, 2012 at 3:58 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> We need to move the unlock before the kfree(dev);
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Applies to linux-next.
>
> diff --git a/drivers/media/video/em28xx/em28xx-video.c b/drivers/media/video/em28xx/em28xx-video.c
> index ecb23df..78d6ebd 100644
> --- a/drivers/media/video/em28xx/em28xx-video.c
> +++ b/drivers/media/video/em28xx/em28xx-video.c
> @@ -2264,9 +2264,9 @@ static int em28xx_v4l2_close(struct file *filp)
>                 if (dev->state & DEV_DISCONNECTED) {
>                         em28xx_release_resources(dev);

Why not unlocking here?

>                         kfree(dev->alt_max_pkt_size);
> +                       mutex_unlock(&dev->lock);
>                         kfree(dev);
>                         kfree(fh);
> -                       mutex_unlock(&dev->lock);

Thanks,
Ezequiel.
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Dan Carpenter Aug. 14, 2012, 11:05 a.m. UTC | #2 
On Tue, Aug 14, 2012 at 07:50:12AM -0300, Ezequiel Garcia wrote:
> Hi Dan,
> 
> On Tue, Aug 14, 2012 at 3:58 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> > We need to move the unlock before the kfree(dev);
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > Applies to linux-next.
> >
> > diff --git a/drivers/media/video/em28xx/em28xx-video.c b/drivers/media/video/em28xx/em28xx-video.c
> > index ecb23df..78d6ebd 100644
> > --- a/drivers/media/video/em28xx/em28xx-video.c
> > +++ b/drivers/media/video/em28xx/em28xx-video.c
> > @@ -2264,9 +2264,9 @@ static int em28xx_v4l2_close(struct file *filp)
> >                 if (dev->state & DEV_DISCONNECTED) {
> >                         em28xx_release_resources(dev);
> 
> Why not unlocking here?

I don't see a reason to prefer one over the other.

regards,
dan carpenter

> 
> >                         kfree(dev->alt_max_pkt_size);
> > +                       mutex_unlock(&dev->lock);
> >                         kfree(dev);
> >                         kfree(fh);
> > -                       mutex_unlock(&dev->lock);
> 
> Thanks,
> Ezequiel.
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Ezequiel Garcia Aug. 14, 2012, 11:15 a.m. UTC | #3 
On Tue, Aug 14, 2012 at 8:05 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> On Tue, Aug 14, 2012 at 07:50:12AM -0300, Ezequiel Garcia wrote:
>> Hi Dan,
>>
>> On Tue, Aug 14, 2012 at 3:58 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>> > We need to move the unlock before the kfree(dev);
>> >
>> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> > ---
>> > Applies to linux-next.
>> >
>> > diff --git a/drivers/media/video/em28xx/em28xx-video.c b/drivers/media/video/em28xx/em28xx-video.c
>> > index ecb23df..78d6ebd 100644
>> > --- a/drivers/media/video/em28xx/em28xx-video.c
>> > +++ b/drivers/media/video/em28xx/em28xx-video.c
>> > @@ -2264,9 +2264,9 @@ static int em28xx_v4l2_close(struct file *filp)
>> >                 if (dev->state & DEV_DISCONNECTED) {
>> >                         em28xx_release_resources(dev);
>>
>> Why not unlocking here?
>
> I don't see a reason to prefer one over the other.
>

Mmm, I see now what you mean,

Thanks and sorry for dumb question,
Ezequiel.
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/media/video/em28xx/em28xx-video.c b/drivers/media/video/em28xx/em28xx-video.c
index ecb23df..78d6ebd 100644
--- a/drivers/media/video/em28xx/em28xx-video.c
+++ b/drivers/media/video/em28xx/em28xx-video.c
@@ -2264,9 +2264,9 @@  static int em28xx_v4l2_close(struct file *filp)
 		if (dev->state & DEV_DISCONNECTED) {
 			em28xx_release_resources(dev);
 			kfree(dev->alt_max_pkt_size);
+			mutex_unlock(&dev->lock);
 			kfree(dev);
 			kfree(fh);
-			mutex_unlock(&dev->lock);
 			return 0;
 		}