[PATCH] au0828: fix use-after-free at USB probing

From: Gustavo A. R. Silva
Date: Thu Nov 09 2017 - 19:21:45 EST

Next message: NeilBrown: "Re: [PATCH 0/3] VFS: name lookup improvements."
Previous message: Minchan Kim: "Re: [RESEND PATCH] mm, oom_reaper: gather each vma to prevent leaking TLB entry"
Next in thread: Andrey Konovalov: "Re: [PATCH] au0828: fix use-after-free at USB probing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Andrey,

Could you please try this patch?

Thank you

The device is typically freed on failure after trying to set
USB interface0 to as5 in function au0828_analog_register.

Fix use-after-free by returning the error value inmediately
after failure, instead of jumping to au0828_usb_disconnect
where _dev_ is also freed.

Signed-off-by: Gustavo A. R. Silva <garsilva@xxxxxxxxxxxxxx>
---
drivers/media/usb/au0828/au0828-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/media/usb/au0828/au0828-core.c b/drivers/media/usb/au0828/au0828-core.c
index cd363a2..b4abd90 100644
--- a/drivers/media/usb/au0828/au0828-core.c
+++ b/drivers/media/usb/au0828/au0828-core.c
@@ -630,7 +630,7 @@ static int au0828_usb_probe(struct usb_interface *interface,
__func__);
mutex_unlock(&dev->lock);
kfree(dev);
- goto done;
+ return retval;
}

/* Digital TV */
@@ -655,7 +655,6 @@ static int au0828_usb_probe(struct usb_interface *interface,

retval = au0828_media_device_register(dev, usbdev);

-done:
if (retval < 0)
au0828_usb_disconnect(interface);

--
2.7.4

Next message: NeilBrown: "Re: [PATCH 0/3] VFS: name lookup improvements."
Previous message: Minchan Kim: "Re: [RESEND PATCH] mm, oom_reaper: gather each vma to prevent leaking TLB entry"
Next in thread: Andrey Konovalov: "Re: [PATCH] au0828: fix use-after-free at USB probing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]