projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0e66fb3)
USB: fix double frees in error code paths of ipaq driver
authorOliver Neukum <oliver@neukum.org>
Mon, 17 Sep 2007 18:15:53 +0000 (20:15 +0200)
committerGreg Kroah-Hartman <gregkh@suse.de>
Fri, 12 Oct 2007 21:55:26 +0000 (14:55 -0700)
the error code paths can be enter with buffers to freed buffers.
Serial core would do a kfree() on memory already freed.

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/usb/serial/ipaq.c patch | blob | blame | history

diff --git a/drivers/usb/serial/ipaq.c b/drivers/usb/serial/ipaq.c
index 6a3a704b58498bff271b34351dd382049f7cbcd2..c1a6484f65248db56660293387a6925ec342feb2 100644 (file)
--- a/drivers/usb/serial/ipaq.c
+++ b/drivers/usb/serial/ipaq.c
@@ -646,11 +646,13 @@ static int ipaq_open(struct usb_serial_port *port, struct file *filp)
        kfree(port->bulk_out_buffer);
        port->bulk_in_buffer = kmalloc(URBDATA_SIZE, GFP_KERNEL);
        if (port->bulk_in_buffer == NULL) {
+               port->bulk_out_buffer = NULL; /* prevent double free */
                goto enomem;
        }
        port->bulk_out_buffer = kmalloc(URBDATA_SIZE, GFP_KERNEL);
        if (port->bulk_out_buffer == NULL) {
                kfree(port->bulk_in_buffer);
+               port->bulk_in_buffer = NULL;
                goto enomem;
        }
        port->read_urb->transfer_buffer = port->bulk_in_buffer;