stv680: kfree called before usb_kill_urb
Commit Message
The irq handler will touch memory. Even in the error case some URBs may
complete. Thus no memory must be kfreed before all URBs are killed.
Signed-off-by: Oliver Neukum <oliver@neukum.org>
--
commit e91d238d2b6f83f9b64b57b570ee150b1cd008e7
Author: Oliver Neukum <oneukum@linux-d698.(none)>
Date: Fri Jul 3 18:18:26 2009 +0200
stv680: fix access to freed memory in error case
in the error case some URBs may be active and access memory
URBs must be killed before any memory is freed
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Comments
On Fri, Jul 03, 2009 at 06:48:49PM +0200, Oliver Neukum wrote:
> The irq handler will touch memory. Even in the error case some URBs may
> complete. Thus no memory must be kfreed before all URBs are killed.
>
> Signed-off-by: Oliver Neukum <oliver@neukum.org>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
@@ -733,10 +733,6 @@ static int stv680_start_stream (struct usb_stv *stv680)
return 0;
nomem_err:
- for (i = 0; i < STV680_NUMSCRATCH; i++) {
- kfree(stv680->scratch[i].data);
- stv680->scratch[i].data = NULL;
- }
for (i = 0; i < STV680_NUMSBUF; i++) {
usb_kill_urb(stv680->urb[i]);
usb_free_urb(stv680->urb[i]);
@@ -744,6 +740,11 @@ static int stv680_start_stream (struct usb_stv *stv680)
kfree(stv680->sbuf[i].data);
stv680->sbuf[i].data = NULL;
}
+ /* used in irq, free only as all URBs are dead */
+ for (i = 0; i < STV680_NUMSCRATCH; i++) {
+ kfree(stv680->scratch[i].data);
+ stv680->scratch[i].data = NULL;
+ }
return -ENOMEM;
}