Hi Andrey,
Could you please try this patch?
Thank you
The device is typically freed on failure after trying to set
USB interface0 to as5 in function au0828_analog_register.
Fix use-after-free by returning the error value inmediately
after failure, instead of jumping to au0828_usb_disconnect
where _dev_ is also freed.
Signed-off-by: Gustavo A. R. Silva <garsi...@embeddedor.com>
---
drivers/media/usb/au0828/au0828-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/media/usb/au0828/au0828-core.c
b/drivers/media/usb/au0828/au0828-core.c
index cd363a2..b4abd90 100644
--- a/drivers/media/usb/au0828/au0828-core.c
+++ b/drivers/media/usb/au0828/au0828-core.c
@@ -630,7 +630,7 @@ static int au0828_usb_probe(struct usb_interface *interface,
__func__);
mutex_unlock(&dev->lock);
kfree(dev);
- goto done;
+ return retval;
}
/* Digital TV */
@@ -655,7 +655,6 @@ static int au0828_usb_probe(struct usb_interface *interface,
retval = au0828_media_device_register(dev, usbdev);
-done:
if (retval < 0)
au0828_usb_disconnect(interface);
--
2.7.4
