diff options
author | Alan Stern <stern@rowland.harvard.edu> | 2012-07-19 22:08:21 +0200 |
---|---|---|
committer | Jiri Kosina <jkosina@suse.cz> | 2012-07-20 11:24:23 +0200 |
commit | 668160e5a80536251b4931a332dfe34d6ec2aeb7 (patch) | |
tree | 326dff1f73e54f8f57a49b090a9f0411cd22dfdb /drivers/hid/hid-gyration.c | |
parent | Merge branch 'upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/gi... (diff) | |
download | linux-668160e5a80536251b4931a332dfe34d6ec2aeb7.tar.xz linux-668160e5a80536251b4931a332dfe34d6ec2aeb7.zip |
HID: usbhid: fix use-after-free bug
This patch (as1592) fixes an obscure problem in the usbhid driver.
Under some circumstances, a control or interrupt-OUT URB can be
submitted twice. This will happen if the first submission fails; the
queue pointers aren't updated, so the next time the queue is restarted
the same URB will be submitted again.
The problem is that raw_report gets deallocated during the first
submission. The second submission will then dereference and try to
free an already-freed region of memory. The patch fixes the problem
by setting raw_report to NULL when it is deallocated and checking for
NULL before dereferencing it.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'drivers/hid/hid-gyration.c')
0 files changed, 0 insertions, 0 deletions