[media] lirc: prevent use-after free
authorSean Young <sean@mess.org>
Mon, 31 Oct 2016 17:52:26 +0000 (15:52 -0200)
committerMauro Carvalho Chehab <mchehab@s-opensource.com>
Mon, 21 Nov 2016 15:19:56 +0000 (13:19 -0200)
If you unplug an lirc device while reading from it, you will get an
use after free as the cdev is freed while still in use.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
drivers/media/rc/lirc_dev.c

index bb2f47a21d682c0c0c6ea20b16c9c59af03cdde7..7215891da2485ed7aebadc4652cd05e110ae1737 100644 (file)
@@ -161,15 +161,15 @@ static int lirc_cdev_add(struct irctl *ir)
        struct lirc_driver *d = &ir->d;
        struct cdev *cdev;
 
-       cdev = kzalloc(sizeof(*cdev), GFP_KERNEL);
+       cdev = cdev_alloc();
        if (!cdev)
                goto err_out;
 
        if (d->fops) {
-               cdev_init(cdev, d->fops);
+               cdev->ops = d->fops;
                cdev->owner = d->owner;
        } else {
-               cdev_init(cdev, &lirc_dev_fops);
+               cdev->ops = &lirc_dev_fops;
                cdev->owner = THIS_MODULE;
        }
        retval = kobject_set_name(&cdev->kobj, "lirc%d", d->minor);
@@ -187,7 +187,7 @@ static int lirc_cdev_add(struct irctl *ir)
        return 0;
 
 err_out:
-       kfree(cdev);
+       cdev_del(cdev);
        return retval;
 }
 
@@ -417,7 +417,6 @@ int lirc_unregister_driver(int minor)
        } else {
                lirc_irctl_cleanup(ir);
                cdev_del(cdev);
-               kfree(cdev);
                kfree(ir);
                irctls[minor] = NULL;
        }
@@ -518,7 +517,6 @@ int lirc_dev_fop_close(struct inode *inode, struct file *file)
                lirc_irctl_cleanup(ir);
                cdev_del(cdev);
                irctls[ir->d.minor] = NULL;
-               kfree(cdev);
                kfree(ir);
        }