"c77d17c0 [media] lirc: use-after free" introduces two problems: cdev_del() can be called with a NULL argument, and the kobject_put() path will cause a double free. Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Sean Young <sean@xxxxxxxx> --- drivers/media/rc/lirc_dev.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c index d3039ef..3854809 100644 --- a/drivers/media/rc/lirc_dev.c +++ b/drivers/media/rc/lirc_dev.c @@ -157,13 +157,13 @@ static const struct file_operations lirc_dev_fops = { static int lirc_cdev_add(struct irctl *ir) { - int retval = -ENOMEM; struct lirc_driver *d = &ir->d; struct cdev *cdev; + int retval; cdev = cdev_alloc(); if (!cdev) - goto err_out; + return -ENOMEM; if (d->fops) { cdev->ops = d->fops; @@ -177,10 +177,8 @@ static int lirc_cdev_add(struct irctl *ir) goto err_out; retval = cdev_add(cdev, MKDEV(MAJOR(lirc_base_dev), d->minor), 1); - if (retval) { - kobject_put(&cdev->kobj); + if (retval) goto err_out; - } ir->cdev = cdev; -- 2.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html