On Thu, Dec 20, 2018 at 09:41:16PM +0800, Jia-Ju Bai wrote: > In drivers/usb/serial/garmin_gps.c, > the functions garmin_read_bulk_callback() and garmin_write_bulk_callback() > may be concurrently executed. > > In garmin_write_bulk_callback() on line 969: > kfree(urb->transfer_buffer); > In garmin_read_bulk_callback() on line 1165: > unsigned char *data = urb->transfer_buffer; > Thus, a concurrency use-after-free bug may occur. No, they operate on different struct urb. > This possible bug is found by a static analysis tool written by myself. Seems you need to update your tool. Please also make sure to review its output before reporting anything. Thanks, Johan
