V4L/DVB: Fix the risk of an oops at dvb_dmx_release
authorMauro Carvalho Chehab <mchehab@redhat.com>
Mon, 1 Feb 2010 13:35:22 +0000 (10:35 -0300)
committerMauro Carvalho Chehab <mchehab@redhat.com>
Mon, 8 Feb 2010 12:45:24 +0000 (10:45 -0200)
dvb_dmx_init tries to allocate virtual memory for 2 pointers: filter and feed.

If the second vmalloc fails, filter is freed, but the pointer keeps pointing
to the old place. Later, when dvb_dmx_release() is called, it will try to
free an already freed memory, causing an OOPS.

Reviewed-by: Andy Walls <awalls@radix.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
drivers/media/dvb/dvb-core/dvb_demux.c

index b78cfb7d1897dcb956508f034cdfffb1e5af3174..a78408e76e7548a9b15a00344536c0393cf2f540 100644 (file)
@@ -1246,6 +1246,7 @@ int dvb_dmx_init(struct dvb_demux *dvbdemux)
        dvbdemux->feed = vmalloc(dvbdemux->feednum * sizeof(struct dvb_demux_feed));
        if (!dvbdemux->feed) {
                vfree(dvbdemux->filter);
+               dvbdemux->filter = NULL;
                return -ENOMEM;
        }
        for (i = 0; i < dvbdemux->filternum; i++) {