openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

[media] drivers/media/media-device: fix double free bug in _unregister() 

While removing all interfaces in media_device_unregister(), all
media_interface pointers are freed.  This is illegal and results in
double kfree() if any media_interface is still linked at this point;
maybe because a userspace process still has a file handle.  Once the
process closes the file handle, dvb_media_device_free() gets called,
which frees the dvb_device.intf_devnode again.

This patch removes the unnecessary kfree() call, and documents who's
responsible for really freeing it.

Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
This commit is contained in:
Max Kellermann 2016-08-09 18:33:03 -03:00 committed by Mauro Carvalho Chehab
parent 6753743e11
commit e7cd17a29d
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/media/media-device.c
View File

@ -801,9 +801,13 @@ void media_device_unregister(struct media_device *mdev)
/* Remove all interfaces from the media device */ /* Remove all interfaces from the media device */
list_for_each_entry_safe(intf, tmp_intf, &mdev->interfaces, list_for_each_entry_safe(intf, tmp_intf, &mdev->interfaces,
graph_obj.list) { graph_obj.list) {
/*
* Unlink the interface, but don't free it here; the
* module which created it is responsible for freeing
* it
*/
__media_remove_intf_links(intf); __media_remove_intf_links(intf);
media_gobj_destroy(&intf->graph_obj); media_gobj_destroy(&intf->graph_obj);
kfree(intf);
} }
mutex_unlock(&mdev->graph_mutex); mutex_unlock(&mdev->graph_mutex);