USB: ir-usb: fix double free

If the user specifies a custom bulk buffer size we get a double free at port release. Cc: stable <stable@kernel.org> Signed-off-by: N Johan Hovold <jhovold@gmail.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@suse.de>

USB: ir-usb: fix double free
If the user specifies a custom bulk buffer size we get a double free at port release. Cc: stable <stable@kernel.org> Signed-off-by: N Johan Hovold <jhovold@gmail.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@suse.de>
2ff78c0c · Johan Hovold · Greg Kroah-Hartman · 16032c4f · 2ff78c0c
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

drivers/usb/serial/ir-usb.c drivers/usb/serial/ir-usb.c +2 -0

未找到文件。
--- a/drivers/usb/serial/ir-usb.c
+++ b/drivers/usb/serial/ir-usb.c
@@ -312,6 +312,7 @@ static int ir_open(struct tty_struct *tty, struct usb_serial_port *port)
 		kfree(port->read_urb->transfer_buffer);
 		port->read_urb->transfer_buffer = buffer;
 		port->read_urb->transfer_buffer_length = buffer_size;
+		port->bulk_in_buffer = buffer;

 		buffer = kmalloc(buffer_size, GFP_KERNEL);
 		if (!buffer) {
@@ -321,6 +322,7 @@ static int ir_open(struct tty_struct *tty, struct usb_serial_port *port)
 		kfree(port->write_urb->transfer_buffer);
 		port->write_urb->transfer_buffer = buffer;
 		port->write_urb->transfer_buffer_length = buffer_size;
+		port->bulk_out_buffer = buffer;
 		port->bulk_out_size = buffer_size;
 	}