On Tue, Oct 24, 2017 at 1:36 PM, Arvind Yadav <arvind.yadav.cs@xxxxxxxxx> wrote: > Here, dvb_free_device will free dvb_device. dvb_frontend_invoke_release > is using dvb_device after free. Hi Arvind, Matthias already suggested a fix. Also it looks like your patch is based on an outdated tree, which doesn't contain the commit that seems to have caused the bug (ead666000a5fe34bdc82d61838e4df2d416ea15e). Thanks! > > Signed-off-by: Arvind Yadav <arvind.yadav.cs@xxxxxxxxx> > --- > This bug report by Andrey Konovalov (usb/media/dtt200u: use-after-free > in __dvb_frontend_free). > > drivers/media/dvb-core/dvb_frontend.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c > index 2fcba16..7f1ef12 100644 > --- a/drivers/media/dvb-core/dvb_frontend.c > +++ b/drivers/media/dvb-core/dvb_frontend.c > @@ -147,10 +147,10 @@ static void dvb_frontend_free(struct kref *ref) > container_of(ref, struct dvb_frontend, refcount); > struct dvb_frontend_private *fepriv = fe->frontend_priv; > > - dvb_free_device(fepriv->dvbdev); > - > dvb_frontend_invoke_release(fe, fe->ops.release); > > + dvb_free_device(fepriv->dvbdev); > + > kfree(fepriv); > } > > -- > 1.9.1 >
