From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 25 Sep 2014 11:40:08 +0000 (-0300)
Subject: [media] xc5000: use after free in release()
X-Git-Tag: v4.9.8~5446^2~8
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4961a5323f5d873e2170c5ef4f48538930e6df3e;p=platform%2Fkernel%2Flinux-rpi3.git

[media] xc5000: use after free in release()

I moved the call to hybrid_tuner_release_state(priv) after
"priv->firmware" dereference.

Fixes: 5264a522a597 ('[media] media: tuner xc5000 - release firmwware from xc5000_release()')

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---

diff --git a/drivers/media/tuners/xc5000.c b/drivers/media/tuners/xc5000.c
index e44c8ab..803a0e6 100644
--- a/drivers/media/tuners/xc5000.c
+++ b/drivers/media/tuners/xc5000.c
@@ -1333,9 +1333,9 @@ static int xc5000_release(struct dvb_frontend *fe)
 
 	if (priv) {
 		cancel_delayed_work(&priv->timer_sleep);
-		hybrid_tuner_release_state(priv);
 		if (priv->firmware)
 			release_firmware(priv->firmware);
+		hybrid_tuner_release_state(priv);
 	}
 
 	mutex_unlock(&xc5000_list_mutex);