[media] lirc: use-after free while reading from device and unplugging

Many lirc drivers have their own receive buffers which are freed on unplug (e.g. ir_lirc_unregister). This means that ir->buf->wait_poll will be freed directly after unplug so do not remove yourself from the wait queue. Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
author: Sean Young <sean@mess.org> 2016-10-31 20:52:27 +0300
committer: Mauro Carvalho Chehab <mchehab@s-opensource.com> 2016-11-21 18:28:11 +0300
commit: c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12 (patch)
tree: f5464ed1bb40b45dfb28e417cefde361bc000af1
parent: afbb110172b93e44a3fd1b5afb3a71f7f9da4406 (diff)
download: linux-c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c
index 7215891da248..d3039efb4e7c 100644
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -715,7 +715,7 @@ ssize_t lirc_dev_fop_read(struct file *file,
 
 			if (!ir->attached) {
 				ret = -ENODEV;
-				break;
+				goto out_locked;
 			}
 		} else {
 			lirc_buffer_read(ir->buf, buf);
author	Sean Young <sean@mess.org>	2016-10-31 20:52:27 +0300
committer	Mauro Carvalho Chehab <mchehab@s-opensource.com>	2016-11-21 18:28:11 +0300
commit	c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12 (patch)
tree	f5464ed1bb40b45dfb28e417cefde361bc000af1
parent	afbb110172b93e44a3fd1b5afb3a71f7f9da4406 (diff)
download	linux-c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12.tar.xz