On Tue, Dec 08, 2015 at 11:38:59AM +0000, Pathak, Rahul (R.) wrote:
> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
> index 38ae877c..05266f0 100644
> --- a/drivers/usb/core/devio.c
> +++ b/drivers/usb/core/devio.c
> @@ -1395,11 +1395,9 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
> number_of_packets = uurb->number_of_packets;
> isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
> number_of_packets;
> - isopkt = kmalloc(isofrmlen, GFP_KERNEL);
> - if (!isopkt)
> - return -ENOMEM;
> - if (copy_from_user(isopkt, iso_frame_desc, isofrmlen)) {
> - ret = -EFAULT;
> + isopkt = memdup_user(iso_frame_desc, isofrmlen);
> + if (IS_ERR(isopkt)) {
> + ret = PTR_ERR(isopkt);
> goto error;
This introduces a one err bug.
https://plus.google.com/106378716002406849458/posts/dnanfhQ4mHQ
We can't call kfree(isopkt) when it is an ERR_PTR.
Set it to NULL:
isopkt = memdup_user(iso_frame_desc, isofrmlen);
if (IS_ERR(isopkt)) {
ret = PTR_ERR(isopkt);
isopkt = NULL;
goto error;
}
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
