summaryrefslogtreecommitdiff
path: root/linux/include/media
diff options
context:
space:
mode:
authorMauro Carvalho Chehab <mchehab@infradead.org>2006-06-23 13:27:36 -0300
committerMauro Carvalho Chehab <mchehab@infradead.org>2006-06-23 13:27:36 -0300
commit515941d047746d1026ffe99a794edd9ffea7a4d1 (patch)
tree825f8bd793ae8c072285f483a18527393ff20a52 /linux/include/media
parent7bbcab1af264a64efd2772c7e078e2137a24e018 (diff)
downloadmediapointer-dvb-s2-515941d047746d1026ffe99a794edd9ffea7a4d1.tar.gz
mediapointer-dvb-s2-515941d047746d1026ffe99a794edd9ffea7a4d1.tar.bz2
Fix use-after-free bug in cpia2 driver
From: Jesper Juhl <jesper.juhl@gmail.com> The coverity checker detected a use-after-free error in drivers/media/video/cpia2/cpia2_v4l.c::cpia2_close() (coverity error #1281). What happens is that we lock cam->busy_lock, then proceed to free resources, and in the case of (--cam->open_count == 0) we finish off by doing a kfree(cam) and then at the end of the function we do a mutex_unlock(&cam->busy_lock) which will explode since it'll dereference the free'd `cam' : ... mutex_lock(&cam->busy_lock); ... if (--cam->open_count == 0) { ... if (!cam->present) { video_unregister_device(dev); kfree(cam); } } mutex_unlock(&cam->busy_lock); <--- PROBLEM, cam no longer around. ... Since this only happens in the case of open_count going down to zero I don't see a problem with just releasing the mutex after unregistering the device and just before the kfree(). In this case there is nothing around that we can race against; we are in the release method, open_count is zero, (!cam->present) and the device has just been unregistered, so letting go of the mutex at this point looks safe to me. Patch below to implement that solution. Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Acked-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Diffstat (limited to 'linux/include/media')
0 files changed, 0 insertions, 0 deletions