From c77d17c0985a70fa3cd2ecde1e4f4be0dd5e9e12 Mon Sep 17 00:00:00 2001
From: Sean Young <sean@mess.org>
Date: Mon, 31 Oct 2016 15:52:27 -0200
Subject: [PATCH] [media] lirc: use-after free while reading from device and
 unplugging

Many lirc drivers have their own receive buffers which are freed on
unplug (e.g. ir_lirc_unregister). This means that ir->buf->wait_poll
will be freed directly after unplug so do not remove yourself from the
wait queue.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
---
 drivers/media/rc/lirc_dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c
index 7215891da248..d3039efb4e7c 100644
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -715,7 +715,7 @@ ssize_t lirc_dev_fop_read(struct file *file,
 
 			if (!ir->attached) {
 				ret = -ENODEV;
-				break;
+				goto out_locked;
 			}
 		} else {
 			lirc_buffer_read(ir->buf, buf);
-- 
2.39.5