Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8280b662 authored by Hans Verkuil's avatar Hans Verkuil Committed by Mauro Carvalho Chehab
Browse files

[media] v4l: Fix use-after-free case in v4l2_device_release 



Drivers that have no v4l2_device release callback might free the
v4l2_device instance in the video_device release callback. Make sure we
don't access the v4l2_device instance after it gets freed.

Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
parent dd182e54

drivers/media/video/v4l2-dev.c

+11 −0
Original line number Original line Diff line number Diff line
@@ -173,6 +173,17 @@ static void v4l2_device_release(struct device *cd) 
		media_device_unregister_entity(&vdev->entity);

		media_device_unregister_entity(&vdev->entity);

#endif

#endif





	/* Do not call v4l2_device_put if there is no release callback set.

	 * Drivers that have no v4l2_device release callback might free the

	 * v4l2_dev instance in the video_device release callback below, so we

	 * must perform this check here.

	 *

	 * TODO: In the long run all drivers that use v4l2_device should use the

	 * v4l2_device release callback. This check will then be unnecessary.

	 */

	if (v4l2_dev->release == NULL)

		v4l2_dev = NULL;



	/* Release video_device and perform other

	/* Release video_device and perform other

	   cleanups as needed. */

	   cleanups as needed. */

	vdev->release(vdev);

	vdev->release(vdev);