mirror of https://gitee.com/openkylin/linux.git
[media] lirc: prevent use-after free
If you unplug an lirc device while reading from it, you will get an use after free as the cdev is freed while still in use. Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
This commit is contained in:
parent
12accdcb92
commit
afbb110172
|
@ -161,15 +161,15 @@ static int lirc_cdev_add(struct irctl *ir)
|
||||||
struct lirc_driver *d = &ir->d;
|
struct lirc_driver *d = &ir->d;
|
||||||
struct cdev *cdev;
|
struct cdev *cdev;
|
||||||
|
|
||||||
cdev = kzalloc(sizeof(*cdev), GFP_KERNEL);
|
cdev = cdev_alloc();
|
||||||
if (!cdev)
|
if (!cdev)
|
||||||
goto err_out;
|
goto err_out;
|
||||||
|
|
||||||
if (d->fops) {
|
if (d->fops) {
|
||||||
cdev_init(cdev, d->fops);
|
cdev->ops = d->fops;
|
||||||
cdev->owner = d->owner;
|
cdev->owner = d->owner;
|
||||||
} else {
|
} else {
|
||||||
cdev_init(cdev, &lirc_dev_fops);
|
cdev->ops = &lirc_dev_fops;
|
||||||
cdev->owner = THIS_MODULE;
|
cdev->owner = THIS_MODULE;
|
||||||
}
|
}
|
||||||
retval = kobject_set_name(&cdev->kobj, "lirc%d", d->minor);
|
retval = kobject_set_name(&cdev->kobj, "lirc%d", d->minor);
|
||||||
|
@ -187,7 +187,7 @@ static int lirc_cdev_add(struct irctl *ir)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
err_out:
|
err_out:
|
||||||
kfree(cdev);
|
cdev_del(cdev);
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -417,7 +417,6 @@ int lirc_unregister_driver(int minor)
|
||||||
} else {
|
} else {
|
||||||
lirc_irctl_cleanup(ir);
|
lirc_irctl_cleanup(ir);
|
||||||
cdev_del(cdev);
|
cdev_del(cdev);
|
||||||
kfree(cdev);
|
|
||||||
kfree(ir);
|
kfree(ir);
|
||||||
irctls[minor] = NULL;
|
irctls[minor] = NULL;
|
||||||
}
|
}
|
||||||
|
@ -518,7 +517,6 @@ int lirc_dev_fop_close(struct inode *inode, struct file *file)
|
||||||
lirc_irctl_cleanup(ir);
|
lirc_irctl_cleanup(ir);
|
||||||
cdev_del(cdev);
|
cdev_del(cdev);
|
||||||
irctls[ir->d.minor] = NULL;
|
irctls[ir->d.minor] = NULL;
|
||||||
kfree(cdev);
|
|
||||||
kfree(ir);
|
kfree(ir);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue