[PATCH 3/4] [media] xc2028: unlock on error in xc2028_set_config()
Tyler Hicks
tyhicks at canonical.com
Fri Sep 14 18:51:38 UTC 2018
From: Dan Carpenter <dan.carpenter at oracle.com>
We have to unlock before returning -ENOMEM.
Fixes: 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
CVE-2016-7913
(cherry picked from commit 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d)
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
drivers/media/tuners/tuner-xc2028.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
index 8e11d5b817f3..f07f9bd6d0f4 100644
--- a/drivers/media/tuners/tuner-xc2028.c
+++ b/drivers/media/tuners/tuner-xc2028.c
@@ -1399,8 +1399,10 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
if (p->fname) {
priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
- if (priv->ctrl.fname == NULL)
- return -ENOMEM;
+ if (priv->ctrl.fname == NULL) {
+ rc = -ENOMEM;
+ goto unlock;
+ }
}
/*
@@ -1432,6 +1434,7 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
} else
priv->state = XC2028_WAITING_FIRMWARE;
}
+unlock:
mutex_unlock(&priv->lock);
return rc;
--
2.7.4
More information about the kernel-team
mailing list