From 4961a5323f5d873e2170c5ef4f48538930e6df3e Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Thu, 25 Sep 2014 08:40:08 -0300 Subject: [PATCH] [media] xc5000: use after free in release() I moved the call to hybrid_tuner_release_state(priv) after "priv->firmware" dereference. Fixes: 5264a522a597 ('[media] media: tuner xc5000 - release firmwware from xc5000_release()') Signed-off-by: Dan Carpenter Reviewed-by: Shuah Khan Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- drivers/media/tuners/xc5000.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/tuners/xc5000.c b/drivers/media/tuners/xc5000.c index e44c8aba6074..803a0e63d47e 100644 --- a/drivers/media/tuners/xc5000.c +++ b/drivers/media/tuners/xc5000.c @@ -1333,9 +1333,9 @@ static int xc5000_release(struct dvb_frontend *fe) if (priv) { cancel_delayed_work(&priv->timer_sleep); - hybrid_tuner_release_state(priv); if (priv->firmware) release_firmware(priv->firmware); + hybrid_tuner_release_state(priv); } mutex_unlock(&xc5000_list_mutex); -- 2.20.1