diff mbox

[media] stk-webcam: Fix use after free on disconnect

Message ID 20170922134841.kxfwwn2yocjgnuad@mwanda (mailing list archive)
State Superseded, archived
Delegated to: Hans Verkuil
Headers

Commit Message

Dan Carpenter Sept. 22, 2017, 1:48 p.m. UTC 
  We free the stk_camera device too early.  It's allocate first in probe
and it should be freed last in stk_camera_disconnect().

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
Not tested but these bug reports seem surprisingly straight forward.
Thanks Andrey!

Comments

Sakari Ailus Oct. 16, 2017, 2:13 p.m. UTC | #1 
On Fri, Sep 22, 2017 at 04:48:41PM +0300, Dan Carpenter wrote:
> We free the stk_camera device too early.  It's allocate first in probe
> and it should be freed last in stk_camera_disconnect().
> 
> Reported-by: Andrey Konovalov <andreyknvl@google.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> Not tested but these bug reports seem surprisingly straight forward.
> Thanks Andrey!

Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
diff mbox

Patch

diff --git a/drivers/media/usb/stkwebcam/stk-webcam.c b/drivers/media/usb/stkwebcam/stk-webcam.c
index c0bba773db25..e748c976d967 100644
--- a/drivers/media/usb/stkwebcam/stk-webcam.c
+++ b/drivers/media/usb/stkwebcam/stk-webcam.c
@@ -1241,7 +1241,6 @@  static void stk_v4l_dev_release(struct video_device *vd)
 	if (dev->sio_bufs != NULL || dev->isobufs != NULL)
 		pr_err("We are leaking memory\n");
 	usb_put_intf(dev->interface);
-	kfree(dev);
 }
 
 static const struct video_device stk_v4l_data = {
@@ -1391,6 +1390,7 @@  static void stk_camera_disconnect(struct usb_interface *interface)
 	video_unregister_device(&dev->vdev);
 	v4l2_ctrl_handler_free(&dev->hdl);
 	v4l2_device_unregister(&dev->v4l2_dev);
+	kfree(dev);
 }
 
 #ifdef CONFIG_PM