From: Sean Young Date: Mon, 31 Oct 2016 17:52:27 +0000 (-0200) Subject: [media] lirc: use-after free while reading from device and unplugging X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=c77d17c0;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git [media] lirc: use-after free while reading from device and unplugging Many lirc drivers have their own receive buffers which are freed on unplug (e.g. ir_lirc_unregister). This means that ir->buf->wait_poll will be freed directly after unplug so do not remove yourself from the wait queue. Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c index 7215891da248..d3039efb4e7c 100644 --- a/drivers/media/rc/lirc_dev.c +++ b/drivers/media/rc/lirc_dev.c @@ -715,7 +715,7 @@ ssize_t lirc_dev_fop_read(struct file *file, if (!ir->attached) { ret = -ENODEV; - break; + goto out_locked; } } else { lirc_buffer_read(ir->buf, buf);