[media] lirc: use-after free while reading from device and unplugging

Many lirc drivers have their own receive buffers which are freed on unplug (e.g. ir_lirc_unregister). This means that ir->buf->wait_poll will be freed directly after unplug so do not remove yourself from the wait queue. Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
author: Sean Young 2016-10-31 18:52:27 +0100
committer: Mauro Carvalho Chehab 2016-11-21 16:28:11 +0100
commit: c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12 (patch)
tree: f5464ed1bb40b45dfb28e417cefde361bc000af1 /drivers/media/rc
parent: [media] lirc: prevent use-after free (diff)
download: kernel-qcow2-linux-c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12.tar.gz
kernel-qcow2-linux-c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12.tar.xz
kernel-qcow2-linux-c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c
index 7215891da248..d3039efb4e7c 100644
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -715,7 +715,7 @@ ssize_t lirc_dev_fop_read(struct file *file,
 
 			if (!ir->attached) {
 				ret = -ENODEV;
-				break;
+				goto out_locked;
 			}
 		} else {
 			lirc_buffer_read(ir->buf, buf);
author	Sean Young	2016-10-31 18:52:27 +0100
committer	Mauro Carvalho Chehab	2016-11-21 16:28:11 +0100
commit	c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12 (patch)
tree	f5464ed1bb40b45dfb28e417cefde361bc000af1 /drivers/media/rc
parent	[media] lirc: prevent use-after free (diff)
download	kernel-qcow2-linux-c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12.tar.gz kernel-qcow2-linux-c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12.tar.xz kernel-qcow2-linux-c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12.zip