The irq handler will touch memory. Even in the error case some URBs may
complete. Thus no memory must be kfreed before all URBs are killed.
Signed-off-by: Oliver Neukum <oliver@xxxxxxxxxx>
--
commit e91d238d2b6f83f9b64b57b570ee150b1cd008e7
Author: Oliver Neukum <oneukum@linux-d698.(none)>
Date: Fri Jul 3 18:18:26 2009 +0200
stv680: fix access to freed memory in error case
in the error case some URBs may be active and access memory
URBs must be killed before any memory is freed
diff --git a/drivers/media/video/stv680.c b/drivers/media/video/stv680.c
index 75f286f..58c0148 100644
--- a/drivers/media/video/stv680.c
+++ b/drivers/media/video/stv680.c
@@ -733,10 +733,6 @@ static int stv680_start_stream (struct usb_stv *stv680)
return 0;
nomem_err:
- for (i = 0; i < STV680_NUMSCRATCH; i++) {
- kfree(stv680->scratch[i].data);
- stv680->scratch[i].data = NULL;
- }
for (i = 0; i < STV680_NUMSBUF; i++) {
usb_kill_urb(stv680->urb[i]);
usb_free_urb(stv680->urb[i]);
@@ -744,6 +740,11 @@ static int stv680_start_stream (struct usb_stv *stv680)
kfree(stv680->sbuf[i].data);
stv680->sbuf[i].data = NULL;
}
+ /* used in irq, free only as all URBs are dead */
+ for (i = 0; i < STV680_NUMSCRATCH; i++) {
+ kfree(stv680->scratch[i].data);
+ stv680->scratch[i].data = NULL;
+ }
return -ENOMEM;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
