Skip to content

L
linux
Commit 2ff78c0c authored by Johan Hovold's avatar Johan Hovold Committed by Greg Kroah-Hartman
Browse files
Options

USB: ir-usb: fix double free 

If the user specifies a custom bulk buffer size we get a double free at
port release.

Cc: stable <stable@kernel.org>
Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 16032c4f
Hide whitespace changes
Inline Side-by-side
Showing with 2 additions and 0 deletions
drivers/usb/serial/ir-usb.c
View file @ 2ff78c0c
...@@ -312,6 +312,7 @@ static int ir_open(struct tty_struct *tty, struct usb_serial_port *port) ...@@ -312,6 +312,7 @@ static int ir_open(struct tty_struct *tty, struct usb_serial_port *port)
kfree(port->read_urb->transfer_buffer); kfree(port->read_urb->transfer_buffer);
port->read_urb->transfer_buffer = buffer; port->read_urb->transfer_buffer = buffer;
port->read_urb->transfer_buffer_length = buffer_size; port->read_urb->transfer_buffer_length = buffer_size;
port->bulk_in_buffer = buffer;
buffer = kmalloc(buffer_size, GFP_KERNEL); buffer = kmalloc(buffer_size, GFP_KERNEL);
if (!buffer) { if (!buffer) {
...@@ -321,6 +322,7 @@ static int ir_open(struct tty_struct *tty, struct usb_serial_port *port) ...@@ -321,6 +322,7 @@ static int ir_open(struct tty_struct *tty, struct usb_serial_port *port)
kfree(port->write_urb->transfer_buffer); kfree(port->write_urb->transfer_buffer);
port->write_urb->transfer_buffer = buffer; port->write_urb->transfer_buffer = buffer;
port->write_urb->transfer_buffer_length = buffer_size; port->write_urb->transfer_buffer_length = buffer_size;
port->bulk_out_buffer = buffer;
port->bulk_out_size = buffer_size; port->bulk_out_size = buffer_size;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7