* [patch] [media] em28xx: use after free in em28xx_v4l2_close()
@ 2012-08-14 6:58 Dan Carpenter
2012-08-14 10:50 ` Ezequiel Garcia
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2012-08-14 6:58 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Ezequiel Garcia, Hans Verkuil, Hans de Goede, Gianluca Gennari,
linux-media, kernel-janitors
We need to move the unlock before the kfree(dev);
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Applies to linux-next.
diff --git a/drivers/media/video/em28xx/em28xx-video.c b/drivers/media/video/em28xx/em28xx-video.c
index ecb23df..78d6ebd 100644
--- a/drivers/media/video/em28xx/em28xx-video.c
+++ b/drivers/media/video/em28xx/em28xx-video.c
@@ -2264,9 +2264,9 @@ static int em28xx_v4l2_close(struct file *filp)
if (dev->state & DEV_DISCONNECTED) {
em28xx_release_resources(dev);
kfree(dev->alt_max_pkt_size);
+ mutex_unlock(&dev->lock);
kfree(dev);
kfree(fh);
- mutex_unlock(&dev->lock);
return 0;
}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch] [media] em28xx: use after free in em28xx_v4l2_close()
2012-08-14 6:58 [patch] [media] em28xx: use after free in em28xx_v4l2_close() Dan Carpenter
@ 2012-08-14 10:50 ` Ezequiel Garcia
2012-08-14 11:05 ` Dan Carpenter
0 siblings, 1 reply; 4+ messages in thread
From: Ezequiel Garcia @ 2012-08-14 10:50 UTC (permalink / raw)
To: Dan Carpenter
Cc: Mauro Carvalho Chehab, Hans Verkuil, Hans de Goede,
Gianluca Gennari, linux-media, kernel-janitors
Hi Dan,
On Tue, Aug 14, 2012 at 3:58 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> We need to move the unlock before the kfree(dev);
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Applies to linux-next.
>
> diff --git a/drivers/media/video/em28xx/em28xx-video.c b/drivers/media/video/em28xx/em28xx-video.c
> index ecb23df..78d6ebd 100644
> --- a/drivers/media/video/em28xx/em28xx-video.c
> +++ b/drivers/media/video/em28xx/em28xx-video.c
> @@ -2264,9 +2264,9 @@ static int em28xx_v4l2_close(struct file *filp)
> if (dev->state & DEV_DISCONNECTED) {
> em28xx_release_resources(dev);
Why not unlocking here?
> kfree(dev->alt_max_pkt_size);
> + mutex_unlock(&dev->lock);
> kfree(dev);
> kfree(fh);
> - mutex_unlock(&dev->lock);
Thanks,
Ezequiel.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch] [media] em28xx: use after free in em28xx_v4l2_close()
2012-08-14 10:50 ` Ezequiel Garcia
@ 2012-08-14 11:05 ` Dan Carpenter
2012-08-14 11:15 ` Ezequiel Garcia
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2012-08-14 11:05 UTC (permalink / raw)
To: Ezequiel Garcia
Cc: Mauro Carvalho Chehab, Hans Verkuil, Hans de Goede,
Gianluca Gennari, linux-media, kernel-janitors
On Tue, Aug 14, 2012 at 07:50:12AM -0300, Ezequiel Garcia wrote:
> Hi Dan,
>
> On Tue, Aug 14, 2012 at 3:58 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> > We need to move the unlock before the kfree(dev);
> >
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > Applies to linux-next.
> >
> > diff --git a/drivers/media/video/em28xx/em28xx-video.c b/drivers/media/video/em28xx/em28xx-video.c
> > index ecb23df..78d6ebd 100644
> > --- a/drivers/media/video/em28xx/em28xx-video.c
> > +++ b/drivers/media/video/em28xx/em28xx-video.c
> > @@ -2264,9 +2264,9 @@ static int em28xx_v4l2_close(struct file *filp)
> > if (dev->state & DEV_DISCONNECTED) {
> > em28xx_release_resources(dev);
>
> Why not unlocking here?
I don't see a reason to prefer one over the other.
regards,
dan carpenter
>
> > kfree(dev->alt_max_pkt_size);
> > + mutex_unlock(&dev->lock);
> > kfree(dev);
> > kfree(fh);
> > - mutex_unlock(&dev->lock);
>
> Thanks,
> Ezequiel.
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch] [media] em28xx: use after free in em28xx_v4l2_close()
2012-08-14 11:05 ` Dan Carpenter
@ 2012-08-14 11:15 ` Ezequiel Garcia
0 siblings, 0 replies; 4+ messages in thread
From: Ezequiel Garcia @ 2012-08-14 11:15 UTC (permalink / raw)
To: Dan Carpenter
Cc: Mauro Carvalho Chehab, Hans Verkuil, Hans de Goede,
Gianluca Gennari, linux-media, kernel-janitors
On Tue, Aug 14, 2012 at 8:05 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> On Tue, Aug 14, 2012 at 07:50:12AM -0300, Ezequiel Garcia wrote:
>> Hi Dan,
>>
>> On Tue, Aug 14, 2012 at 3:58 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
>> > We need to move the unlock before the kfree(dev);
>> >
>> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> > ---
>> > Applies to linux-next.
>> >
>> > diff --git a/drivers/media/video/em28xx/em28xx-video.c b/drivers/media/video/em28xx/em28xx-video.c
>> > index ecb23df..78d6ebd 100644
>> > --- a/drivers/media/video/em28xx/em28xx-video.c
>> > +++ b/drivers/media/video/em28xx/em28xx-video.c
>> > @@ -2264,9 +2264,9 @@ static int em28xx_v4l2_close(struct file *filp)
>> > if (dev->state & DEV_DISCONNECTED) {
>> > em28xx_release_resources(dev);
>>
>> Why not unlocking here?
>
> I don't see a reason to prefer one over the other.
>
Mmm, I see now what you mean,
Thanks and sorry for dumb question,
Ezequiel.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-08-14 11:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-14 6:58 [patch] [media] em28xx: use after free in em28xx_v4l2_close() Dan Carpenter
2012-08-14 10:50 ` Ezequiel Garcia
2012-08-14 11:05 ` Dan Carpenter
2012-08-14 11:15 ` Ezequiel Garcia
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).