From e36c92fd63bb4773e6f4bc38ecee11a609ded1cf Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 14 Aug 2012 02:58:15 -0300
Subject: [PATCH] [media] em28xx: use after free in em28xx_v4l2_close()

We need to move the unlock before the kfree(dev);

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
---
 drivers/media/usb/em28xx/em28xx-video.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/em28xx/em28xx-video.c b/drivers/media/usb/em28xx/em28xx-video.c
index ecb23df..78d6ebd 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -2264,9 +2264,9 @@ static int em28xx_v4l2_close(struct file *filp)
 		if (dev->state & DEV_DISCONNECTED) {
 			em28xx_release_resources(dev);
 			kfree(dev->alt_max_pkt_size);
+			mutex_unlock(&dev->lock);
 			kfree(dev);
 			kfree(fh);
-			mutex_unlock(&dev->lock);
 			return 0;
 		}
 
-- 
2.7.4