iso_buffer should be set to NULL after use and free in the while loop.
In the case of isochronous URB in the while loop, iso_buffer is
allocated and after sending it to server, buffer is deallocated. And
then, if the next URB in the while loop is not a isochronous pipe,
iso_buffer still holds the previously deallocated buffer address and
kfree tries to free wrong buffer address.
Fixes: ea44d190764b (“usbip: Implement SG support to vhci-hcd and stub driver”)
Reported-by: kbuild test robot <lkp@xxxxxxxxx>
Reported-by: Julia Lawall <julia.lawall@xxxxxxx>
Signed-off-by: Suwan Kim <suwan.kim027@xxxxxxxxx>
---
drivers/usb/usbip/vhci_tx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/usbip/vhci_tx.c b/drivers/usb/usbip/vhci_tx.c
index c3803785f6ef..b290e810d11b 100644
--- a/drivers/usb/usbip/vhci_tx.c
+++ b/drivers/usb/usbip/vhci_tx.c
@@ -73,6 +73,7 @@ static int vhci_send_cmd_submit(struct vhci_device *vdev)
memset(&pdu_header, 0, sizeof(pdu_header));
memset(&msg, 0, sizeof(msg));
memset(&iov, 0, sizeof(iov));
+ iso_buffer = NULL;
usbip_dbg_vhci_tx("setup txdata urb seqnum %lu\n",
priv->seqnum);
--
2.21.0
