[media] lirc: use-after free while reading from device and unplugging
authorSean Young <sean@mess.org>
Mon, 31 Oct 2016 17:52:27 +0000 (15:52 -0200)
committerMauro Carvalho Chehab <mchehab@s-opensource.com>
Mon, 21 Nov 2016 15:28:11 +0000 (13:28 -0200)
Many lirc drivers have their own receive buffers which are freed on
unplug (e.g. ir_lirc_unregister). This means that ir->buf->wait_poll
will be freed directly after unplug so do not remove yourself from the
wait queue.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
drivers/media/rc/lirc_dev.c

index 7215891da2485ed7aebadc4652cd05e110ae1737..d3039efb4e7cf0db00bb09868d11ba615ba973b3 100644 (file)
@@ -715,7 +715,7 @@ ssize_t lirc_dev_fop_read(struct file *file,
 
                        if (!ir->attached) {
                                ret = -ENODEV;
-                               break;
+                               goto out_locked;
                        }
                } else {
                        lirc_buffer_read(ir->buf, buf);