[PATCH] Fix the risk of an oops at dvb_dmx_release

Mauro Carvalho Chehab Mon, 01 Feb 2010 05:35:33 -0800

dvb_dmx_init tries to allocate virtual memory for 2 pointers: filter and feed.


If the second vmalloc fails, filter is freed, but the pointer keeps pointing
to the old place. Later, when dvb_dmx_release() is called, it will try to
free an already freed memory, causing an OOPS.

Signed-off-by: Mauro Carvalho Chehab <mche...@redhat.com>
---
 drivers/media/dvb/dvb-core/dvb_demux.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/drivers/media/dvb/dvb-core/dvb_demux.c 
b/drivers/media/dvb/dvb-core/dvb_demux.c
index b78cfb7..a78408e 100644
--- a/drivers/media/dvb/dvb-core/dvb_demux.c
+++ b/drivers/media/dvb/dvb-core/dvb_demux.c
@@ -1246,6 +1246,7 @@ int dvb_dmx_init(struct dvb_demux *dvbdemux)
        dvbdemux->feed = vmalloc(dvbdemux->feednum * sizeof(struct 
dvb_demux_feed));
        if (!dvbdemux->feed) {
                vfree(dvbdemux->filter);
+               dvbdemux->filter = NULL;
                return -ENOMEM;
        }
        for (i = 0; i < dvbdemux->filternum; i++) {
-- 
1.6.6.1


--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] Fix the risk of an oops at dvb_dmx_release

Reply via email to