git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/commit

author	Oliver Neukum <oneukum@suse.com>
	Mon, 8 Jan 2018 14:21:07 +0000 (09:21 -0500)
committer	Mauro Carvalho Chehab <mchehab@s-opensource.com>
	Mon, 26 Feb 2018 11:59:54 +0000 (06:59 -0500)
commit	50e7044535537b2a54c7ab798cd34c7f6d900bd2
tree	aa8018ab5ef0caedd67f8ce0db06ab371ec865f1	tree
parent	81b9de43599c59a3d5bd3e6e8645cb20b87840bc	commit \| diff

media: usbtv: prevent double free in error case

Quoting the original report:

It looks like there is a double-free vulnerability in Linux usbtv driver
on an error path of usbtv_probe function. When audio registration fails,
usbtv_video_free function ends up freeing usbtv data structure, which
gets freed the second time under usbtv_video_fail label.

usbtv_audio_fail:

        usbtv_video_free(usbtv); =>

           v4l2_device_put(&usbtv->v4l2_dev);

              => v4l2_device_put

                  => kref_put

                      => v4l2_device_release

  => usbtv_release (CALLBACK)

                             => kfree(usbtv) (1st time)

usbtv_video_fail:

        usb_set_intfdata(intf, NULL);

        usb_put_dev(usbtv->udev);

        kfree(usbtv); (2nd time)

So, as we have refcounting, use it

Reported-by: Yavuz, Tuba <tuba@ece.ufl.edu>
Signed-off-by: Oliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>