首页 发现 帮助
注册 登录
phyus
/
linux-vybrid_public
8
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

[Bluetooth] Fix double frees on error paths of btusb and bpa10x drivers

The transfer buffer of an URB will be automatically freed when using
the URB_FREE_BUFFER transfer_flag. So the extra calls to kfree() will
cause a double free.

Reported-by: Justin Mattock <justinmattock@gmail.com>
Signed-off-by: Rabin Vincent <rabin@rab.in>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Marcel Holtmann 16 年之前
父节点
94aca1dac6
当前提交
36010ff678
共有 2 个文件被更改,包括 0 次插入5 次删除
分列视图 显示文件统计
  1. 0 2
      drivers/bluetooth/bpa10x.c
  2. 0 3
      drivers/bluetooth/btusb.c

+ 0 - 2
drivers/bluetooth/bpa10x.c
查看文件 

@@ -256,7 +256,6 @@ static inline int bpa10x_submit_intr_urb(struct hci_dev *hdev)
 
 		BT_ERR("%s urb %p submission failed (%d)",
 
 						hdev->name, urb, -err);
 
 		usb_unanchor_urb(urb);
 
-		kfree(buf);
 
 	}
 
 
 	usb_free_urb(urb);
 
@@ -298,7 +297,6 @@ static inline int bpa10x_submit_bulk_urb(struct hci_dev *hdev)
 
 		BT_ERR("%s urb %p submission failed (%d)",
 
 						hdev->name, urb, -err);
 
 		usb_unanchor_urb(urb);
 
-		kfree(buf);
 
 	}
 
 
 	usb_free_urb(urb);

+ 0 - 3
drivers/bluetooth/btusb.c
查看文件 

@@ -271,7 +271,6 @@ static int btusb_submit_intr_urb(struct hci_dev *hdev)
 
 		BT_ERR("%s urb %p submission failed (%d)",
 
 						hdev->name, urb, -err);
 
 		usb_unanchor_urb(urb);
 
-		kfree(buf);
 
 	}
 
 
 	usb_free_urb(urb);
 
@@ -354,7 +353,6 @@ static int btusb_submit_bulk_urb(struct hci_dev *hdev)
 
 		BT_ERR("%s urb %p submission failed (%d)",
 
 						hdev->name, urb, -err);
 
 		usb_unanchor_urb(urb);
 
-		kfree(buf);
 
 	}
 
 
 	usb_free_urb(urb);
 
@@ -475,7 +473,6 @@ static int btusb_submit_isoc_urb(struct hci_dev *hdev)
 
 		BT_ERR("%s urb %p submission failed (%d)",
 
 						hdev->name, urb, -err);
 
 		usb_unanchor_urb(urb);
 
-		kfree(buf);
 
 	}
 
 
 	usb_free_urb(urb);