tegra: camera: Fix UAF security issue
Frank Chen [Wed, 14 Dec 2016 19:36:41 +0000 (11:36 -0800)]
Fix UAF (use-after-free) security issue in
camera.pcl driver

Bug 1832830

Change-Id: Ie0f8a58a7bb9d1b4949e0f68d25d6da108f06e76
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1271371
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

drivers/media/platform/tegra/camera.c

index 041c830..9017e7f 100644 (file)
@@ -526,13 +526,13 @@ static int camera_new_device(struct camera_info *cam, unsigned long arg)
                        next_dev->client->addr == dev_info.addr) {
                        dev_dbg(cam_desc.dev,
                                "%s: device already exists.\n", __func__);
-                       camera_remove_device(new_dev, false);
                        if (atomic_xchg(&next_dev->in_use, 1)) {
                                dev_err(cam_desc.dev, "%s device %s BUSY\n",
                                        __func__, next_dev->name);
                                err = -EBUSY;
                                goto new_device_err;
-                       }
+                       } else
+                               camera_remove_device(new_dev, false);
                        new_dev = next_dev;
                        goto new_device_done;
                }