This is an automatic generated email to let you know that the following patch were queued:
Subject: media: em28xx: Fix use-after-free in em28xx_alloc_urbs Author: Dinghao Liu <[email protected]> Date: Mon Dec 28 14:02:05 2020 +0100 When kzalloc() fails, em28xx_uninit_usb_xfer() will free usb_bufs->buf and set it to NULL. Thus the later access to usb_bufs->buf[i] will lead to null pointer dereference. Also the kfree(usb_bufs->buf) after that is redundant. Fixes: d571b592c6206 ("media: em28xx: don't use coherent buffer for DMA transfers") Signed-off-by: Dinghao Liu <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> drivers/media/usb/em28xx/em28xx-core.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) --- diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c index e6088b5d1b80..3daa64bb1e1d 100644 --- a/drivers/media/usb/em28xx/em28xx-core.c +++ b/drivers/media/usb/em28xx/em28xx-core.c @@ -956,14 +956,10 @@ int em28xx_alloc_urbs(struct em28xx *dev, enum em28xx_mode mode, int xfer_bulk, usb_bufs->buf[i] = kzalloc(sb_size, GFP_KERNEL); if (!usb_bufs->buf[i]) { - em28xx_uninit_usb_xfer(dev, mode); - for (i--; i >= 0; i--) kfree(usb_bufs->buf[i]); - kfree(usb_bufs->buf); - usb_bufs->buf = NULL; - + em28xx_uninit_usb_xfer(dev, mode); return -ENOMEM; } _______________________________________________ linuxtv-commits mailing list [email protected] https://www.linuxtv.org/cgi-bin/mailman/listinfo/linuxtv-commits
