LKML Archive on
 help / color / Atom feed
* [PATCH] media: rockchip/rga: fix potential use after free
@ 2019-11-05 15:55 Pan Bian
  2019-11-09 11:08 ` Hans Verkuil
  0 siblings, 1 reply; 2+ messages in thread
From: Pan Bian @ 2019-11-05 15:55 UTC (permalink / raw)
  To: Jacob Chen, Ezequiel Garcia, Mauro Carvalho Chehab, Heiko Stuebner
  Cc: linux-media, linux-arm-kernel, linux-rockchip, linux-kernel, Pan Bian

The variable vga->vfd is an alias for vfd. Therefore, releasing vfd and
then unregister vga->vfd will lead to a use after free bug. In fact, the
free operation and the unregister operation are reversed.

Signed-off-by: Pan Bian <>
 drivers/media/platform/rockchip/rga/rga.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/rockchip/rga/rga.c b/drivers/media/platform/rockchip/rga/rga.c
index e9ff12b6b5bb..613b868fce33 100644
--- a/drivers/media/platform/rockchip/rga/rga.c
+++ b/drivers/media/platform/rockchip/rga/rga.c
@@ -901,9 +901,9 @@ static int rga_probe(struct platform_device *pdev)
 	return 0;
-	video_device_release(vfd);
+	video_device_release(vfd);

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-05 15:55 [PATCH] media: rockchip/rga: fix potential use after free Pan Bian
2019-11-09 11:08 ` Hans Verkuil

LKML Archive on

Archives are clonable:
	git clone --mirror lkml/git/0.git
	git clone --mirror lkml/git/1.git
	git clone --mirror lkml/git/2.git
	git clone --mirror lkml/git/3.git
	git clone --mirror lkml/git/4.git
	git clone --mirror lkml/git/5.git
	git clone --mirror lkml/git/6.git
	git clone --mirror lkml/git/7.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ \
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone