From patchwork Thu Apr 4 20:32:09 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jiri Slaby X-Patchwork-Id: 17766 Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.72) (envelope-from ) id 1UNqqI-0004BM-8u; Thu, 04 Apr 2013 22:33:06 +0200 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.75/mailfrontend-3) with esmtp id 1UNqqH-0005OL-Ex; Thu, 04 Apr 2013 22:33:06 +0200 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1764846Ab3DDUct (ORCPT + 1 other); Thu, 4 Apr 2013 16:32:49 -0400 Received: from mail.pripojeni.net ([178.22.112.14]:51049 "EHLO smtp.pripojeni.net" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1764854Ab3DDUcS (ORCPT ); Thu, 4 Apr 2013 16:32:18 -0400 Received: from bellona.site ([178.22.112.2]) by smtp.pripojeni.net (Kerio Connect 7.2.0 patch 1); Thu, 4 Apr 2013 22:32:13 +0200 From: Jiri Slaby To: jirislaby@gmail.com Cc: linux-kernel@vger.kernel.org, Sean Young , Mauro Carvalho Chehab , linux-media@vger.kernel.org Subject: [PATCH 2/5] MEDIA: ttusbir, fix double free Date: Thu, 4 Apr 2013 22:32:09 +0200 Message-Id: <1365107532-32721-2-git-send-email-jslaby@suse.cz> X-Mailer: git-send-email 1.8.2 In-Reply-To: <1365107532-32721-1-git-send-email-jslaby@suse.cz> References: <1365107532-32721-1-git-send-email-jslaby@suse.cz> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.4.4.201816 X-PMX-Spam: Gauge=IIIIIIII, Probability=8%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_1099 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __CP_URI_IN_BODY 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MULTIPLE_RCPTS_CC_X2 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_NO_WWW 0, __URI_NS ' rc_unregister_device already calls rc_free_device to free the passed device. But in one of ttusbir's probe fail paths, we call rc_unregister_device _and_ rc_free_device. This is wrong and results in a double free. Instead, set rc to NULL resulting in rc_free_device being a noop. Signed-off-by: Jiri Slaby Cc: Sean Young Cc: Mauro Carvalho Chehab Cc: linux-media@vger.kernel.org Acked-by: Sean Young --- drivers/media/rc/ttusbir.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/rc/ttusbir.c b/drivers/media/rc/ttusbir.c index cf0d47f..891762d 100644 --- a/drivers/media/rc/ttusbir.c +++ b/drivers/media/rc/ttusbir.c @@ -347,6 +347,7 @@ static int ttusbir_probe(struct usb_interface *intf, return 0; out3: rc_unregister_device(rc); + rc = NULL; out2: led_classdev_unregister(&tt->led); out: