From 25205eb3f46ee7ab26238d27127b83e7b9f6f2cf Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Tue, 11 Apr 2006 18:19:33 -0300 Subject: Use after free in drivers/media/video/em28xx/em28xx-video.c From: Eric Sesterhenn In several places we use dev->devno right after we kfree() dev. This fixes coverity bug id #1065 Signed-off-by: Eric Sesterhenn Signed-off-by: Andrew Morton Signed-off-by: Mauro Carvalho Chehab --- linux/drivers/media/video/em28xx/em28xx-video.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'linux') diff --git a/linux/drivers/media/video/em28xx/em28xx-video.c b/linux/drivers/media/video/em28xx/em28xx-video.c index 1093a68f0..33fe987dd 100644 --- a/linux/drivers/media/video/em28xx/em28xx-video.c +++ b/linux/drivers/media/video/em28xx/em28xx-video.c @@ -1685,8 +1685,8 @@ static int em28xx_init_dev(struct em28xx **devhandle, struct usb_device *udev, errCode = em28xx_config(dev); if (errCode) { em28xx_errdev("error configuring device\n"); - kfree(dev); em28xx_devused&=~(1<devno); + kfree(dev); return -ENOMEM; } @@ -1712,8 +1712,8 @@ static int em28xx_init_dev(struct em28xx **devhandle, struct usb_device *udev, dev->vdev = video_device_alloc(); if (NULL == dev->vdev) { em28xx_errdev("cannot allocate video_device.\n"); - kfree(dev); em28xx_devused&=~(1<devno); + kfree(dev); return -ENOMEM; } @@ -1721,8 +1721,8 @@ static int em28xx_init_dev(struct em28xx **devhandle, struct usb_device *udev, if (NULL == dev->vbi_dev) { em28xx_errdev("cannot allocate video_device.\n"); kfree(dev->vdev); - kfree(dev); em28xx_devused&=~(1<devno); + kfree(dev); return -ENOMEM; } @@ -1765,8 +1765,8 @@ static int em28xx_init_dev(struct em28xx **devhandle, struct usb_device *udev, mutex_unlock(&dev->lock); list_del(&dev->devlist); video_device_release(dev->vdev); - kfree(dev); em28xx_devused&=~(1<devno); + kfree(dev); return -ENODEV; } @@ -1777,8 +1777,8 @@ static int em28xx_init_dev(struct em28xx **devhandle, struct usb_device *udev, list_del(&dev->devlist); video_device_release(dev->vbi_dev); video_device_release(dev->vdev); - kfree(dev); em28xx_devused&=~(1<devno); + kfree(dev); return -ENODEV; } else { printk("registered VBI\n"); -- cgit v1.2.3 From 0cdd88b619025b1eb047a9f5f2eb8f51efadcb05 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Tue, 11 Apr 2006 18:27:18 -0300 Subject: Keep #if 0/#if 1 for newer drivers at the tree From: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab --- linux/drivers/media/video/pwc/pwc-if.c | 2 +- linux/drivers/media/video/pwc/pwc-uncompress.c | 2 +- linux/drivers/media/video/usbvideo/ibmcam.c | 20 ++++++++++---------- linux/drivers/media/video/usbvideo/ultracam.c | 2 +- linux/drivers/media/video/usbvideo/usbvideo.c | 4 ++-- 5 files changed, 15 insertions(+), 15 deletions(-) (limited to 'linux') diff --git a/linux/drivers/media/video/pwc/pwc-if.c b/linux/drivers/media/video/pwc/pwc-if.c index 41418294a..7c97270d3 100644 --- a/linux/drivers/media/video/pwc/pwc-if.c +++ b/linux/drivers/media/video/pwc/pwc-if.c @@ -320,7 +320,7 @@ static int pwc_allocate_buffers(struct pwc_device *pdev) case 730: case 740: case 750: -#if 0 +#if 0 /* keep */ Trace(TRACE_MEMORY,"private_data(%zu)\n",sizeof(struct pwc_dec23_private)); kbuf = kmalloc(sizeof(struct pwc_dec23_private), GFP_KERNEL); /* Timon & Kiara */ break; diff --git a/linux/drivers/media/video/pwc/pwc-uncompress.c b/linux/drivers/media/video/pwc/pwc-uncompress.c index b37a89a16..eec2c3c45 100644 --- a/linux/drivers/media/video/pwc/pwc-uncompress.c +++ b/linux/drivers/media/video/pwc/pwc-uncompress.c @@ -118,7 +118,7 @@ int pwc_decompress(struct pwc_device *pdev) return -ENXIO; /* No such device or address: missing decompressor */ } -#if 0 +#if 0 /* keep */ switch (pdev->type) { case 675: diff --git a/linux/drivers/media/video/usbvideo/ibmcam.c b/linux/drivers/media/video/usbvideo/ibmcam.c index 76f771b6a..c5c444692 100644 --- a/linux/drivers/media/video/usbvideo/ibmcam.c +++ b/linux/drivers/media/video/usbvideo/ibmcam.c @@ -258,7 +258,7 @@ static enum ParseState ibmcam_find_header(struct uvd *uvd) /* FIXME: Add frame h (RING_QUEUE_PEEK(&uvd->dp, 1) == 0xFF) && (RING_QUEUE_PEEK(&uvd->dp, 2) == 0x00)) { -#if 0 /* This code helps to detect new frame markers */ +#if 0 /* keep */ /* This code helps to detect new frame markers */ info("Header sig: 00 FF 00 %02X", RING_QUEUE_PEEK(&uvd->dp, 3)); #endif frame->header = RING_QUEUE_PEEK(&uvd->dp, 3); @@ -266,7 +266,7 @@ static enum ParseState ibmcam_find_header(struct uvd *uvd) /* FIXME: Add frame h (frame->header == HDRSIG_MODEL1_176x144) || (frame->header == HDRSIG_MODEL1_352x288)) { -#if 0 +#if 0 /* keep */ info("Header found."); #endif RING_QUEUE_DEQUEUE_BYTES(&uvd->dp, marker_len); @@ -295,7 +295,7 @@ case IBMCAM_MODEL_4: if ((RING_QUEUE_PEEK(&uvd->dp, 0) == 0x00) && (RING_QUEUE_PEEK(&uvd->dp, 1) == 0xFF)) { -#if 0 +#if 0 /* keep */ info("Header found."); #endif RING_QUEUE_DEQUEUE_BYTES(&uvd->dp, marker_len); @@ -338,7 +338,7 @@ case IBMCAM_MODEL_4: byte3 = RING_QUEUE_PEEK(&uvd->dp, 2); byte4 = RING_QUEUE_PEEK(&uvd->dp, 3); frame->header = (byte3 << 8) | byte4; -#if 0 +#if 0 /* keep */ info("Header found."); #endif RING_QUEUE_DEQUEUE_BYTES(&uvd->dp, marker_len); @@ -1100,7 +1100,7 @@ static void ibmcam_ProcessIsocData(struct uvd *uvd, /* Update the frame's uncompressed length. */ frame->seqRead_Length += copylen; -#if 0 +#if 0 /* keep */ { static unsigned char j=0; memset(frame->data, j++, uvd->max_frame_size); @@ -1139,7 +1139,7 @@ static int ibmcam_veio( cp, sizeof(cp), 1000); -#if 0 +#if 0 /* keep */ info("USB => %02x%02x%02x%02x%02x%02x%02x%02x " "(req=$%02x val=$%04x ind=$%04x)", cp[0],cp[1],cp[2],cp[3],cp[4],cp[5],cp[6],cp[7], @@ -1433,7 +1433,7 @@ static void ibmcam_change_lighting_conditions(struct uvd *uvd) break; } case IBMCAM_MODEL_2: -#if 0 +#if 0 /* keep */ /* * This command apparently requires camera to be stopped. My * experiments showed that it -is- possible to alter the lighting @@ -1611,7 +1611,7 @@ static void ibmcam_set_hue(struct uvd *uvd) } case IBMCAM_MODEL_3: { -#if 0 /* This seems not to work. No problem, will fix programmatically */ +#if 0 /* keep */ /* This seems not to work. No problem, will fix programmatically */ unsigned short hue = 0x05 + (uvd->vpic.hue / (0xFFFF / (0x37 - 0x05 + 1))); RESTRICT_TO_RANGE(hue, 0x05, 0x37); if (uvd->vpic_old.hue == hue) @@ -1860,7 +1860,7 @@ static int ibmcam_model1_setup(struct uvd *uvd) ibmcam_veio(uvd, 0, 0x04, 0x011a); /* Same everywhere */ ibmcam_veio(uvd, 0, 0x2b, 0x011c); ibmcam_veio(uvd, 0, 0x23, 0x012a); /* Same everywhere */ -#if 0 +#if 0 /* keep */ ibmcam_veio(uvd, 0, 0x00, 0x0106); ibmcam_veio(uvd, 0, 0x38, 0x0107); #else @@ -3502,7 +3502,7 @@ case IBMCAM_MODEL_4: ibmcam_veio(uvd, 0, 0x0000, 0x0112); break; case IBMCAM_MODEL_3: -#if 1 +#if 1 /* keep */ ibmcam_veio(uvd, 0, 0x0000, 0x010c); /* Here we are supposed to select video interface alt. setting 0 */ diff --git a/linux/drivers/media/video/usbvideo/ultracam.c b/linux/drivers/media/video/usbvideo/ultracam.c index 10c58b4a2..344f6cca9 100644 --- a/linux/drivers/media/video/usbvideo/ultracam.c +++ b/linux/drivers/media/video/usbvideo/ultracam.c @@ -156,7 +156,7 @@ static int ultracam_veio( cp, sizeof(cp), 1000); -#if 1 +#if 1 /* keep */ info("USB => %02x%02x%02x%02x%02x%02x%02x%02x " "(req=$%02x val=$%04x ind=$%04x)", cp[0],cp[1],cp[2],cp[3],cp[4],cp[5],cp[6],cp[7], diff --git a/linux/drivers/media/video/usbvideo/usbvideo.c b/linux/drivers/media/video/usbvideo/usbvideo.c index 13b37c8c0..4db4569a5 100644 --- a/linux/drivers/media/video/usbvideo/usbvideo.c +++ b/linux/drivers/media/video/usbvideo/usbvideo.c @@ -542,7 +542,7 @@ void usbvideo_TestPattern(struct uvd *uvd, int fullframe, int pmode) frame->curline = 0; frame->seqRead_Length = 0; } -#if 0 +#if 0 /* keep */ { /* For debugging purposes only */ char tmp[20]; usbvideo_VideosizeToString(tmp, sizeof(tmp), frame->request); @@ -1688,7 +1688,7 @@ static void usbvideo_IsocIrq(struct urb *urb, struct pt_regs *regs) /* We don't want to do anything if we are about to be removed! */ if (!CAMERA_IS_OPERATIONAL(uvd)) return; -#if 0 +#if 0 /* keep */ if (urb->actual_length > 0) { info("urb=$%p status=%d. errcount=%d. length=%d.", urb, urb->status, urb->error_count, urb->actual_length); -- cgit v1.2.3