Sorry for the ambiguous description. I mean after usb_free_urb(urb) at line 723,
do we need set NULL to mos7840_port->write_urb_pool[j], otherwise the
freed urb pointer
may be used somewhere?
Sorry for the non-specfic comment again.
thanks,
Nil Yi
Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> 于2021年8月1日周日 下午8:15写道:
>
> On Sun, Aug 01, 2021 at 05:03:30PM +0800, nil Yi wrote:
> > Hi, there is a dangling pointer in mos7840_port->write_urb_pool[j] in function
> > mos7840_open in v5.14-rc3.
> >
> > in function mos7840_open err path :
> >
> > 717: err:
> > 718: for (j = 0; j < NUM_URBS; ++j) {
> > 719: urb = mos7840_port->write_urb_pool[j];
> > 720: if (!urb)
> > 721: continue;
> > 722: kfree(urb->transfer_buffer);
> > 723: usb_free_urb(urb);
> > }
> >
> > leave a dangling pointer here, I'm not sure whether it can be
> > triggered somewhere.
>
> What exactly do you mean by "dangling pointer"? What specifically is
> the bug here?
>
> thanks,
>
> greg k-h
