Re: [PATCH] Sound, 6Fire USB: Fix double-free bug in usb6fire_fw_ezusb_upload()
From: Takashi Iwai
Date: Tue Jun 14 2011 - 01:28:51 EST
At Mon, 13 Jun 2011 23:52:02 +0200 (CEST),
Jesper Juhl wrote:
>
> We have a double-free bug in
> sound/usb/6fire/firmware.c::usb6fire_fw_ezusb_upload().
> We already call release_firmware(fw) on line 258, so when we then do it
> again after usb6fire_fw_ezusb_write() returns <0, we have a double-free.
> Easily fixed by just removing the last call to release_firmware().
>
> Signed-off-by: Jesper Juhl <jj@xxxxxxxxxxxxx>
Applied now. Thanks.
Takashi
> ---
> firmware.c | 1 -
> 1 file changed, 1 deletion(-)
>
> Patch against Linus' tree (head at 40779859de0f73b40390c6401a024d06cf024290).
>
> diff --git a/sound/usb/6fire/firmware.c b/sound/usb/6fire/firmware.c
> index a91719d..1e3ae33 100644
> --- a/sound/usb/6fire/firmware.c
> +++ b/sound/usb/6fire/firmware.c
> @@ -270,7 +270,6 @@ static int usb6fire_fw_ezusb_upload(
> data = 0x00; /* resume ezusb cpu */
> ret = usb6fire_fw_ezusb_write(device, 0xa0, 0xe600, &data, 1);
> if (ret < 0) {
> - release_firmware(fw);
> snd_printk(KERN_ERR PREFIX "unable to upload ezusb "
> "firmware %s: end message.\n", fwname);
> return ret;
>
>
> --
> Jesper Juhl <jj@xxxxxxxxxxxxx> http://www.chaosbits.net/
> Don't top-post http://www.catb.org/jargon/html/T/top-post.html
> Plain text mails only, please.
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/