diff mbox

[media] xc5000: use after free in release()

Message ID 20140925114008.GC3708@mwanda (mailing list archive)
State Accepted, archived
Delegated to: Hans Verkuil
Headers

Commit Message

Dan Carpenter Sept. 25, 2014, 11:40 a.m. UTC 
  I moved the call to hybrid_tuner_release_state(priv) after
"priv->firmware" dereference.

Fixes: 5264a522a597 ('[media] media: tuner xc5000 - release firmwware from xc5000_release()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Shuah Khan Sept. 25, 2014, 2 p.m. UTC | #1 
On 09/25/2014 05:40 AM, Dan Carpenter wrote:
> I moved the call to hybrid_tuner_release_state(priv) after
> "priv->firmware" dereference.
> 
> Fixes: 5264a522a597 ('[media] media: tuner xc5000 - release firmwware from xc5000_release()')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/media/tuners/xc5000.c b/drivers/media/tuners/xc5000.c
> index e44c8ab..803a0e6 100644
> --- a/drivers/media/tuners/xc5000.c
> +++ b/drivers/media/tuners/xc5000.c
> @@ -1333,9 +1333,9 @@ static int xc5000_release(struct dvb_frontend *fe)
>  
>  	if (priv) {
>  		cancel_delayed_work(&priv->timer_sleep);
> -		hybrid_tuner_release_state(priv);
>  		if (priv->firmware)
>  			release_firmware(priv->firmware);
> +		hybrid_tuner_release_state(priv);
>  	}
>  
>  	mutex_unlock(&xc5000_list_mutex);
> 

Thanks for catching it.

Reviewed-by: Shuah Khan <shuahkh@osg.samsung.com>

-- Shuah
Dan Carpenter Oct. 15, 2014, 1:40 p.m. UTC | #2 
On Thu, Sep 25, 2014 at 02:40:08PM +0300, Dan Carpenter wrote:
> I moved the call to hybrid_tuner_release_state(priv) after
> "priv->firmware" dereference.
> 
> Fixes: 5264a522a597 ('[media] media: tuner xc5000 - release firmwware from xc5000_release()')

We still need this patch.

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Shuah Khan Oct. 15, 2014, 3:12 p.m. UTC | #3 
On 10/15/2014 07:40 AM, Dan Carpenter wrote:
> On Thu, Sep 25, 2014 at 02:40:08PM +0300, Dan Carpenter wrote:
>> I moved the call to hybrid_tuner_release_state(priv) after
>> "priv->firmware" dereference.
>>
>> Fixes: 5264a522a597 ('[media] media: tuner xc5000 - release firmwware from xc5000_release()')
> 
> We still need this patch.
> 

I didn't see it in media pull request for 3.18. Mauro probably
has this on his list for next round.

-- Shuah
Dan Carpenter Oct. 15, 2014, 4:15 p.m. UTC | #4 
On Wed, Oct 15, 2014 at 09:12:46AM -0600, Shuah Khan wrote:
> On 10/15/2014 07:40 AM, Dan Carpenter wrote:
> > On Thu, Sep 25, 2014 at 02:40:08PM +0300, Dan Carpenter wrote:
> >> I moved the call to hybrid_tuner_release_state(priv) after
> >> "priv->firmware" dereference.
> >>
> >> Fixes: 5264a522a597 ('[media] media: tuner xc5000 - release firmwware from xc5000_release()')
> > 
> > We still need this patch.
> > 
> 
> I didn't see it in media pull request for 3.18. Mauro probably
> has this on his list for next round.
> 

It's not in linux-next.

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/media/tuners/xc5000.c b/drivers/media/tuners/xc5000.c
index e44c8ab..803a0e6 100644
--- a/drivers/media/tuners/xc5000.c
+++ b/drivers/media/tuners/xc5000.c
@@ -1333,9 +1333,9 @@  static int xc5000_release(struct dvb_frontend *fe)
 
 	if (priv) {
 		cancel_delayed_work(&priv->timer_sleep);
-		hybrid_tuner_release_state(priv);
 		if (priv->firmware)
 			release_firmware(priv->firmware);
+		hybrid_tuner_release_state(priv);
 	}
 
 	mutex_unlock(&xc5000_list_mutex);