stv680: kfree called before usb_kill_urb

Message ID	200907031848.49825.oliver@neukum.org (mailing list archive)
State	Superseded, archived
Headers	Envelope-to: mchehab@infradead.org Delivery-date: Fri, 03 Jul 2009 16:48:44 +0000 sender: neukum_org@smtp-out002.kontent.com) by smtp-out002.kontent.com (Postfix) with ESMTPSA id 4029558058C1; Fri, 3 Jul 2009 18:48:38 +0200 (CEST) From: Oliver Neukum <oliver@neukum.org> To: kjsisson@bellsouth.net, mchehab@infradead.org, linux-media@vger.kernel.org, USB list <linux-usb@vger.kernel.org> Subject: [patch]stv680: kfree called before usb_kill_urb Date: Fri, 3 Jul 2009 18:48:49 +0200 User-Agent: KMail/1.10.3 (Linux/2.6.30-0.1-default; KDE/4.1.3; x86_64; ; ) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200907031848.49825.oliver@neukum.org> Sender: linux-media-owner@vger.kernel.org Precedence: bulk

Message ID

200907031848.49825.oliver@neukum.org (mailing list archive)

State

Superseded, archived

Headers

Envelope-to: mchehab@infradead.org
Delivery-date: Fri, 03 Jul 2009 16:48:44 +0000
From: Oliver Neukum <oliver@neukum.org>
To: kjsisson@bellsouth.net, mchehab@infradead.org,
	linux-media@vger.kernel.org, USB list <linux-usb@vger.kernel.org>
Subject: [patch]stv680: kfree called before usb_kill_urb
Date: Fri, 3 Jul 2009 18:48:49 +0200
User-Agent: KMail/1.10.3 (Linux/2.6.30-0.1-default; KDE/4.1.3; x86_64; ; )
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200907031848.49825.oliver@neukum.org>
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk

Commit Message

Oliver Neukum July 3, 2009, 4:48 p.m. UTC

  The irq handler will touch memory. Even in the error case some URBs may
complete. Thus no memory must be kfreed before all URBs are killed.

Signed-off-by: Oliver Neukum <oliver@neukum.org>

--

commit e91d238d2b6f83f9b64b57b570ee150b1cd008e7
Author: Oliver Neukum <oneukum@linux-d698.(none)>
Date:   Fri Jul 3 18:18:26 2009 +0200

    stv680: fix access to freed memory in error case
    
    in the error case some URBs may be active and access memory
    URBs must be killed before any memory is freed


--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Greg KH July 10, 2009, 10:26 p.m. UTC | #1

On Fri, Jul 03, 2009 at 06:48:49PM +0200, Oliver Neukum wrote:
> The irq handler will touch memory. Even in the error case some URBs may
> complete. Thus no memory must be kfreed before all URBs are killed.
> 
> Signed-off-by: Oliver Neukum <oliver@neukum.org>

Acked-by: Greg Kroah-Hartman <gregkh@suse.de>

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff mbox

Patch

diff --git a/drivers/media/video/stv680.c b/drivers/media/video/stv680.c
index 75f286f..58c0148 100644
--- a/drivers/media/video/stv680.c
+++ b/drivers/media/video/stv680.c
@@ -733,10 +733,6 @@  static int stv680_start_stream (struct usb_stv *stv680)
 	return 0;
 
  nomem_err:
-	for (i = 0; i < STV680_NUMSCRATCH; i++) {
-		kfree(stv680->scratch[i].data);
-		stv680->scratch[i].data = NULL;
-	}
 	for (i = 0; i < STV680_NUMSBUF; i++) {
 		usb_kill_urb(stv680->urb[i]);
 		usb_free_urb(stv680->urb[i]);
@@ -744,6 +740,11 @@  static int stv680_start_stream (struct usb_stv *stv680)
 		kfree(stv680->sbuf[i].data);
 		stv680->sbuf[i].data = NULL;
 	}
+	/* used in irq, free only as all URBs are dead */
+	for (i = 0; i < STV680_NUMSCRATCH; i++) {
+		kfree(stv680->scratch[i].data);
+		stv680->scratch[i].data = NULL;
+	}
 	return -ENOMEM;
 
 }