From: Hans Verkuil Date: Tue, 6 Sep 2011 13:23:18 +0000 (-0300) Subject: [media] v4l: Fix use-after-free case in v4l2_device_release X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=8280b66;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git [media] v4l: Fix use-after-free case in v4l2_device_release Drivers that have no v4l2_device release callback might free the v4l2_device instance in the video_device release callback. Make sure we don't access the v4l2_device instance after it gets freed. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/video/v4l2-dev.c b/drivers/media/video/v4l2-dev.c index 06f14008b346..d72156517726 100644 --- a/drivers/media/video/v4l2-dev.c +++ b/drivers/media/video/v4l2-dev.c @@ -173,6 +173,17 @@ static void v4l2_device_release(struct device *cd) media_device_unregister_entity(&vdev->entity); #endif + /* Do not call v4l2_device_put if there is no release callback set. + * Drivers that have no v4l2_device release callback might free the + * v4l2_dev instance in the video_device release callback below, so we + * must perform this check here. + * + * TODO: In the long run all drivers that use v4l2_device should use the + * v4l2_device release callback. This check will then be unnecessary. + */ + if (v4l2_dev->release == NULL) + v4l2_dev = NULL; + /* Release video_device and perform other cleanups as needed. */ vdev->release(vdev);