From: Wei Yongjun <yongjun_wei@xxxxxxxxxxxxxxxxx> Since rc_unregister_device() frees its argument, the subsequently call to rc_free_device() on the same variable will cause a double free bug. Fix by set argument to NULL, thus when fall through to rc_free_device(), nothing will be done there. Signed-off-by: Wei Yongjun <yongjun_wei@xxxxxxxxxxxxxxxxx> --- drivers/media/rc/ite-cir.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c index dd82373..63b4225 100644 --- a/drivers/media/rc/ite-cir.c +++ b/drivers/media/rc/ite-cir.c @@ -1613,6 +1613,7 @@ exit_release_cir_addr: release_region(itdev->cir_addr, itdev->params.io_region_size); exit_unregister_device: rc_unregister_device(rdev); + rdev = NULL; exit_free_dev_rdev: rc_free_device(rdev); kfree(itdev); -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
