From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 3 Feb 2020 15:01:46 +0000 (+0000)
Subject: 4.14-stable patches
X-Git-Tag: v5.5.2~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3995f76cca7a3b27d6f1231b543ec2d5d669e2bc;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	media-si470x-i2c-move-free-past-last-use-of-radio.patch
---

diff --git a/queue-4.14/media-si470x-i2c-move-free-past-last-use-of-radio.patch b/queue-4.14/media-si470x-i2c-move-free-past-last-use-of-radio.patch
new file mode 100644
index 00000000000..4f3b56bdf0b
--- /dev/null
+++ b/queue-4.14/media-si470x-i2c-move-free-past-last-use-of-radio.patch
@@ -0,0 +1,45 @@
+From lee.jones@linaro.org  Mon Feb  3 14:58:36 2020
+From: Lee Jones <lee.jones@linaro.org>
+Date: Mon,  3 Feb 2020 13:21:30 +0000
+Subject: media: si470x-i2c: Move free() past last use of 'radio'
+To: stable@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org
+Message-ID: <20200203132130.12748-1-lee.jones@linaro.org>
+
+From: Lee Jones <lee.jones@linaro.org>
+
+A pointer to 'struct si470x_device' is currently used after free:
+
+  drivers/media/radio/si470x/radio-si470x-i2c.c:462:25-30: ERROR: reference
+    preceded by free on line 460
+
+Shift the call to free() down past its final use.
+
+NB: Not sending to Mainline, since the problem does not exist there, it was
+caused by the backport of 2df200ab234a ("media: si470x-i2c: add missed
+operations in remove") to the stable trees.
+
+Cc: <stable@vger.kernel.org> # v3.18+
+Reported-by: kbuild test robot <lkp@intel.com>
+Reported-by: Julia Lawall <julia.lawall@lip6.fr>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/radio/si470x/radio-si470x-i2c.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/radio/si470x/radio-si470x-i2c.c
++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c
+@@ -453,10 +453,10 @@ static int si470x_i2c_remove(struct i2c_
+ 
+ 	free_irq(client->irq, radio);
+ 	video_unregister_device(&radio->videodev);
+-	kfree(radio);
+ 
+ 	v4l2_ctrl_handler_free(&radio->hdl);
+ 	v4l2_device_unregister(&radio->v4l2_dev);
++	kfree(radio);
+ 	return 0;
+ }
+ 
diff --git a/queue-4.14/series b/queue-4.14/series
index f26fb76d138..73b2864a001 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -49,3 +49,4 @@ media-dvb-usb-dvb-usb-urb.c-initialize-actlen-to-0.patch
 ttyprintk-fix-a-potential-deadlock-in-interrupt-context-issue.patch
 bluetooth-fix-race-condition-in-hci_release_sock.patch
 cgroup-prevent-double-killing-of-css-when-enabling-threaded-cgroup.patch
+media-si470x-i2c-move-free-past-last-use-of-radio.patch