[Patch] use after free in drivers/media/video/em28xx/em28xx-video.c

From: Eric Sesterhenn
Date: Mon Apr 10 2006 - 18:03:31 EST


hi,

in several we use dev->devno right after we kfree()
dev. This fixes coverity bug id #1065

Signed-off-by: Eric Sesterhenn <snakebyte@xxxxxx>

--- linux-2.6.17-rc1/drivers/media/video/em28xx/em28xx-video.c.orig 2006-04-10 23:49:05.000000000 +0200
+++ linux-2.6.17-rc1/drivers/media/video/em28xx/em28xx-video.c 2006-04-10 23:50:05.000000000 +0200
@@ -1576,8 +1576,8 @@ static int em28xx_init_dev(struct em28xx
errCode = em28xx_config(dev);
if (errCode) {
em28xx_errdev("error configuring device\n");
- kfree(dev);
em28xx_devused&=~(1<<dev->devno);
+ kfree(dev);
return -ENOMEM;
}

@@ -1603,8 +1603,8 @@ static int em28xx_init_dev(struct em28xx
dev->vdev = video_device_alloc();
if (NULL == dev->vdev) {
em28xx_errdev("cannot allocate video_device.\n");
- kfree(dev);
em28xx_devused&=~(1<<dev->devno);
+ kfree(dev);
return -ENOMEM;
}

@@ -1612,8 +1612,8 @@ static int em28xx_init_dev(struct em28xx
if (NULL == dev->vbi_dev) {
em28xx_errdev("cannot allocate video_device.\n");
kfree(dev->vdev);
- kfree(dev);
em28xx_devused&=~(1<<dev->devno);
+ kfree(dev);
return -ENOMEM;
}

@@ -1650,8 +1650,8 @@ static int em28xx_init_dev(struct em28xx
mutex_unlock(&dev->lock);
list_del(&dev->devlist);
video_device_release(dev->vdev);
- kfree(dev);
em28xx_devused&=~(1<<dev->devno);
+ kfree(dev);
return -ENODEV;
}

@@ -1662,8 +1662,8 @@ static int em28xx_init_dev(struct em28xx
list_del(&dev->devlist);
video_device_release(dev->vbi_dev);
video_device_release(dev->vdev);
- kfree(dev);
em28xx_devused&=~(1<<dev->devno);
+ kfree(dev);
return -ENODEV;
} else {
printk("registered VBI\n");


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/