Commit ce814ad4 authored by Dan Carpenter's avatar Dan Carpenter Committed by Mauro Carvalho Chehab

media: allegro: Fix use after free on error

The "channel" is added to the "dev->channels" but then if
v4l2_m2m_ctx_init() fails then we free "channel" but it's still on the
list so it could lead to a use after free.  Let's not add it to the
list until after v4l2_m2m_ctx_init() succeeds.

Fixes: cc62c747 ("media: allegro: add missed checks in allegro_open()")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarMichael Tretter <m.tretter@pengutronix.de>
Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
parent 4f20b7be
...@@ -2483,8 +2483,6 @@ static int allegro_open(struct file *file) ...@@ -2483,8 +2483,6 @@ static int allegro_open(struct file *file)
INIT_LIST_HEAD(&channel->buffers_reference); INIT_LIST_HEAD(&channel->buffers_reference);
INIT_LIST_HEAD(&channel->buffers_intermediate); INIT_LIST_HEAD(&channel->buffers_intermediate);
list_add(&channel->list, &dev->channels);
channel->fh.m2m_ctx = v4l2_m2m_ctx_init(dev->m2m_dev, channel, channel->fh.m2m_ctx = v4l2_m2m_ctx_init(dev->m2m_dev, channel,
allegro_queue_init); allegro_queue_init);
...@@ -2493,6 +2491,7 @@ static int allegro_open(struct file *file) ...@@ -2493,6 +2491,7 @@ static int allegro_open(struct file *file)
goto error; goto error;
} }
list_add(&channel->list, &dev->channels);
file->private_data = &channel->fh; file->private_data = &channel->fh;
v4l2_fh_add(&channel->fh); v4l2_fh_add(&channel->fh);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment