From 36010ff6788a058147ae15a1aebf97fd30fa51a9 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Mon, 6 Oct 2008 12:22:51 +0200 Subject: [PATCH] [Bluetooth] Fix double frees on error paths of btusb and bpa10x drivers The transfer buffer of an URB will be automatically freed when using the URB_FREE_BUFFER transfer_flag. So the extra calls to kfree() will cause a double free. Reported-by: Justin Mattock Signed-off-by: Rabin Vincent Signed-off-by: Marcel Holtmann --- drivers/bluetooth/bpa10x.c | 2 -- drivers/bluetooth/btusb.c | 3 --- 2 files changed, 5 deletions(-) diff --git a/drivers/bluetooth/bpa10x.c b/drivers/bluetooth/bpa10x.c index 1e55a658e6ce..32f3a8ed8d3d 100644 --- a/drivers/bluetooth/bpa10x.c +++ b/drivers/bluetooth/bpa10x.c @@ -256,7 +256,6 @@ static inline int bpa10x_submit_intr_urb(struct hci_dev *hdev) BT_ERR("%s urb %p submission failed (%d)", hdev->name, urb, -err); usb_unanchor_urb(urb); - kfree(buf); } usb_free_urb(urb); @@ -298,7 +297,6 @@ static inline int bpa10x_submit_bulk_urb(struct hci_dev *hdev) BT_ERR("%s urb %p submission failed (%d)", hdev->name, urb, -err); usb_unanchor_urb(urb); - kfree(buf); } usb_free_urb(urb); diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 29ae99817c60..262e9bebebc9 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -271,7 +271,6 @@ static int btusb_submit_intr_urb(struct hci_dev *hdev) BT_ERR("%s urb %p submission failed (%d)", hdev->name, urb, -err); usb_unanchor_urb(urb); - kfree(buf); } usb_free_urb(urb); @@ -354,7 +353,6 @@ static int btusb_submit_bulk_urb(struct hci_dev *hdev) BT_ERR("%s urb %p submission failed (%d)", hdev->name, urb, -err); usb_unanchor_urb(urb); - kfree(buf); } usb_free_urb(urb); @@ -475,7 +473,6 @@ static int btusb_submit_isoc_urb(struct hci_dev *hdev) BT_ERR("%s urb %p submission failed (%d)", hdev->name, urb, -err); usb_unanchor_urb(urb); - kfree(buf); } usb_free_urb(urb); -- 2.34.1