From: Dan Carpenter Date: Fri, 17 Jun 2011 10:25:09 +0000 (+0300) Subject: Staging: easycap: use after free in easycap_delete() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=38d0cffefd3daaad6bc58a6212d16edeaa8ee1f0;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git Staging: easycap: use after free in easycap_delete() The JOM() macro dereferences peasycap, so I moved the free down some lines. Signed-off-by: Dan Carpenter Acked-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/easycap/easycap_main.c b/drivers/staging/easycap/easycap_main.c index 62e07f6a026c..84d4f77ef46b 100644 --- a/drivers/staging/easycap/easycap_main.c +++ b/drivers/staging/easycap/easycap_main.c @@ -913,8 +913,6 @@ static void easycap_delete(struct kref *pkref) allocation_audio_struct = peasycap->allocation_audio_struct; registered_audio = peasycap->registered_audio; - kfree(peasycap); - if (0 <= kd && DONGLE_MANY > kd) { if (mutex_lock_interruptible(&mutex_dongle)) { SAY("ERROR: cannot down mutex_dongle\n"); @@ -929,6 +927,9 @@ static void easycap_delete(struct kref *pkref) } else { SAY("ERROR: cannot purge dongle[].peasycap"); } + + kfree(peasycap); + /*---------------------------------------------------------------------------*/ SAY("%8i=video urbs after all deletions\n", allocation_video_urb); SAY("%8i=video pages after all deletions\n", allocation_video_page);