rc_unregister_device() will first call ir_free_table(), and later
device_del(); however, the latter causes a call to rc_dev_uevent(),
which prints rc_map.name, which at this point has already bee freed.
This fixes a use-after-free bug found with KASAN.
Signed-off-by: Max Kellermann <max.kellermann@xxxxxxxxx>
---
drivers/media/rc/rc-main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
index 8e7f292..1e5a520 100644
--- a/drivers/media/rc/rc-main.c
+++ b/drivers/media/rc/rc-main.c
@@ -159,6 +159,7 @@ static void ir_free_table(struct rc_map *rc_map)
{
rc_map->size = 0;
kfree(rc_map->name);
+ rc_map->name = NULL;
kfree(rc_map->scan);
rc_map->scan = NULL;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
