[media] lirc: use-after free while reading from device and unplugging

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Many lirc drivers have their own receive buffers which are freed on
unplug (e.g. ir_lirc_unregister). This means that ir->buf->wait_poll
will be freed directly after unplug so do not remove yourself from the
wait queue.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

authored by

Sean Young and committed by

Mauro Carvalho Chehab 9 years ago c77d17c0 afbb1101

+1 -1

1 changed file

expand all

drivers

media

lirc_dev.c

+1 -1

drivers/media/rc/lirc_dev.c

··· 715 715 716 716 if (!ir->attached) { 717 717 ret = -ENODEV; 718 - break; 718 + goto out_locked; 719 719 } 720 720 } else { 721 721 lirc_buffer_read(ir->buf, buf);