From 16cedd99c64cc9f128a3e9bb0613980833b7f938 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niklas=20S=C3=B6derlund?= Date: Tue, 24 Apr 2018 19:45:06 -0400 Subject: [PATCH] media: rcar-vin: fix null pointer dereference in rvin_group_get() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Store the group pointer before disassociating the VIN from the group. Fixes: 3bb4c3bc85bf77a7 ("media: rcar-vin: add group allocator functions") Reported-by: Colin Ian King Signed-off-by: Niklas Söderlund Reviewed-by: Simon Horman Signed-off-by: Mauro Carvalho Chehab --- drivers/media/platform/rcar-vin/rcar-core.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/media/platform/rcar-vin/rcar-core.c b/drivers/media/platform/rcar-vin/rcar-core.c index 55b745ac86a5..51e6694c4946 100644 --- a/drivers/media/platform/rcar-vin/rcar-core.c +++ b/drivers/media/platform/rcar-vin/rcar-core.c @@ -338,19 +338,21 @@ err_group: static void rvin_group_put(struct rvin_dev *vin) { - mutex_lock(&vin->group->lock); + struct rvin_group *group = vin->group; + + mutex_lock(&group->lock); vin->group = NULL; vin->v4l2_dev.mdev = NULL; - if (WARN_ON(vin->group->vin[vin->id] != vin)) + if (WARN_ON(group->vin[vin->id] != vin)) goto out; - vin->group->vin[vin->id] = NULL; + group->vin[vin->id] = NULL; out: - mutex_unlock(&vin->group->lock); + mutex_unlock(&group->lock); - kref_put(&vin->group->refcount, rvin_group_release); + kref_put(&group->refcount, rvin_group_release); } /* -----------------------------------------------------------------------------