From patchwork Fri Jul 3 16:48:49 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Neukum X-Patchwork-Id: 33974 X-Patchwork-Delegate: dougsland@redhat.com Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n63GmgFb012861 for ; Fri, 3 Jul 2009 16:48:43 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756369AbZGCQsh (ORCPT ); Fri, 3 Jul 2009 12:48:37 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756519AbZGCQsg (ORCPT ); Fri, 3 Jul 2009 12:48:36 -0400 Received: from smtp-out002.kontent.com ([81.88.40.216]:59581 "EHLO smtp-out002.kontent.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756369AbZGCQsg (ORCPT ); Fri, 3 Jul 2009 12:48:36 -0400 Received: from linux-d698.localnet (p549A1F55.dip0.t-ipconnect.de [84.154.31.85]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: neukum_org@smtp-out002.kontent.com) by smtp-out002.kontent.com (Postfix) with ESMTPSA id 4029558058C1; Fri, 3 Jul 2009 18:48:38 +0200 (CEST) From: Oliver Neukum To: kjsisson@bellsouth.net, mchehab@infradead.org, linux-media@vger.kernel.org, USB list Subject: [patch]stv680: kfree called before usb_kill_urb Date: Fri, 3 Jul 2009 18:48:49 +0200 User-Agent: KMail/1.10.3 (Linux/2.6.30-0.1-default; KDE/4.1.3; x86_64; ; ) MIME-Version: 1.0 Content-Disposition: inline Message-Id: <200907031848.49825.oliver@neukum.org> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org The irq handler will touch memory. Even in the error case some URBs may complete. Thus no memory must be kfreed before all URBs are killed. Signed-off-by: Oliver Neukum Acked-by: Greg Kroah-Hartman --- commit e91d238d2b6f83f9b64b57b570ee150b1cd008e7 Author: Oliver Neukum Date: Fri Jul 3 18:18:26 2009 +0200 stv680: fix access to freed memory in error case in the error case some URBs may be active and access memory URBs must be killed before any memory is freed -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/media/video/stv680.c b/drivers/media/video/stv680.c index 75f286f..58c0148 100644 --- a/drivers/media/video/stv680.c +++ b/drivers/media/video/stv680.c @@ -733,10 +733,6 @@ static int stv680_start_stream (struct usb_stv *stv680) return 0; nomem_err: - for (i = 0; i < STV680_NUMSCRATCH; i++) { - kfree(stv680->scratch[i].data); - stv680->scratch[i].data = NULL; - } for (i = 0; i < STV680_NUMSBUF; i++) { usb_kill_urb(stv680->urb[i]); usb_free_urb(stv680->urb[i]); @@ -744,6 +740,11 @@ static int stv680_start_stream (struct usb_stv *stv680) kfree(stv680->sbuf[i].data); stv680->sbuf[i].data = NULL; } + /* used in irq, free only as all URBs are dead */ + for (i = 0; i < STV680_NUMSCRATCH; i++) { + kfree(stv680->scratch[i].data); + stv680->scratch[i].data = NULL; + } return -ENOMEM; }