4.19-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 3 Feb 2020 15:02:00 +0000 (15:02 +0000)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Mon, 3 Feb 2020 15:02:00 +0000 (15:02 +0000)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 3 Feb 2020 15:02:00 +0000 (15:02 +0000)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 3 Feb 2020 15:02:00 +0000 (15:02 +0000)
diff --git a/queue-4.19/media-si470x-i2c-move-free-past-last-use-of-radio.patch b/queue-4.19/media-si470x-i2c-move-free-past-last-use-of-radio.patch

new file mode 100644 (file)

index 0000000..0165293
--- /dev/null
+++ b/queue-4.19/media-si470x-i2c-move-free-past-last-use-of-radio.patch
@@ -0,0 +1,45 @@
+From lee.jones@linaro.org  Mon Feb  3 14:58:36 2020
+From: Lee Jones <lee.jones@linaro.org>
+Date: Mon,  3 Feb 2020 13:21:30 +0000
+Subject: media: si470x-i2c: Move free() past last use of 'radio'
+To: stable@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org
+Message-ID: <20200203132130.12748-1-lee.jones@linaro.org>
+
+From: Lee Jones <lee.jones@linaro.org>
+
+A pointer to 'struct si470x_device' is currently used after free:
+
+  drivers/media/radio/si470x/radio-si470x-i2c.c:462:25-30: ERROR: reference
+    preceded by free on line 460
+
+Shift the call to free() down past its final use.
+
+NB: Not sending to Mainline, since the problem does not exist there, it was
+caused by the backport of 2df200ab234a ("media: si470x-i2c: add missed
+operations in remove") to the stable trees.
+
+Cc: <stable@vger.kernel.org> # v3.18+
+Reported-by: kbuild test robot <lkp@intel.com>
+Reported-by: Julia Lawall <julia.lawall@lip6.fr>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/radio/si470x/radio-si470x-i2c.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/radio/si470x/radio-si470x-i2c.c
++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c
+@@ -483,10 +483,10 @@ static int si470x_i2c_remove(struct i2c_
+ 
+       free_irq(client->irq, radio);
+       video_unregister_device(&radio->videodev);
+-      kfree(radio);
+ 
+       v4l2_ctrl_handler_free(&radio->hdl);
+       v4l2_device_unregister(&radio->v4l2_dev);
++      kfree(radio);
+       return 0;
+ }
+ 
diff --git a/queue-4.19/series b/queue-4.19/series

index 205555a4c78aeec7aee7834ff77a1ce3191016b6..f76750f20638f704bb908f657f3d5a1a92ab8e72 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -21,3 +21,4 @@ tomoyo-use-atomic_t-for-statistics-counter.patch
  ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch
  bluetooth-fix-race-condition-in-hci_release_sock.patch
  cgroup-prevent-double-killing-of-css-when-enabling-threaded-cgroup.patch
+media-si470x-i2c-move-free-past-last-use-of-radio.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 3 Feb 2020 15:02:00 +0000 (15:02 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 3 Feb 2020 15:02:00 +0000 (15:02 +0000)
queue-4.19/media-si470x-i2c-move-free-past-last-use-of-radio.patch	[new file with mode: 0644]	patch \| blob
queue-4.19/series		patch \| blob \| blame \| history