[media] em28xx: use after free in em28xx_v4l2_close()
authorDan Carpenter <dan.carpenter@oracle.com>
Tue, 14 Aug 2012 05:58:15 +0000 (02:58 -0300)
committerMauro Carvalho Chehab <mchehab@redhat.com>
Wed, 15 Aug 2012 21:49:00 +0000 (18:49 -0300)
We need to move the unlock before the kfree(dev);

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
drivers/media/usb/em28xx/em28xx-video.c

index ecb23df7f16efb178cd735cbc147cef1ae7b75c6..78d6ebd712b9135f5a8e121175d1bef4b514103d 100644 (file)
@@ -2264,9 +2264,9 @@ static int em28xx_v4l2_close(struct file *filp)
                if (dev->state & DEV_DISCONNECTED) {
                        em28xx_release_resources(dev);
                        kfree(dev->alt_max_pkt_size);
+                       mutex_unlock(&dev->lock);
                        kfree(dev);
                        kfree(fh);
-                       mutex_unlock(&dev->lock);
                        return 0;
                }