public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed
* [BUG] drivers: media: rc: imon.c: dangling pointer in function imon_init_intf1
@ 2021-08-01  8:32 nil Yi
  2021-08-01  9:12 ` Sean Young
  0 siblings, 1 reply; 2+ messages in thread
From: nil Yi @ 2021-08-01  8:32 UTC (permalink / raw)
  To: sean, linux-media

Hi, there is a dangling pointer in ictx->rx_urb_intf1  in function
imon_init_intf1 in v5.14-rc3
in function imon_init_intf1:
2322: ictx->rx_urb_intf1 = rx_urb;
...
2362:  usb_free_urb(rx_urb);
leave a dangling pointer here,  I'm not sure whether it  can be
triggered somewhere.

Any feedback would be appreciated, thanks :)


Best wishes,
Nil Yi

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [BUG] drivers: media: rc: imon.c: dangling pointer in function imon_init_intf1
  2021-08-01  8:32 [BUG] drivers: media: rc: imon.c: dangling pointer in function imon_init_intf1 nil Yi
@ 2021-08-01  9:12 ` Sean Young
  0 siblings, 0 replies; 2+ messages in thread
From: Sean Young @ 2021-08-01  9:12 UTC (permalink / raw)
  To: nil Yi; +Cc: linux-media

On Sun, Aug 01, 2021 at 04:32:15PM +0800, nil Yi wrote:
> Hi, there is a dangling pointer in ictx->rx_urb_intf1  in function
> imon_init_intf1 in v5.14-rc3
> in function imon_init_intf1:
> 2322: ictx->rx_urb_intf1 = rx_urb;
> ...
> 2362:  usb_free_urb(rx_urb);
> leave a dangling pointer here,  I'm not sure whether it  can be
> triggered somewhere.

I think this error path would lead to a double free. So you have an imon
device with two interfaces, and the probe on the second interface fails.

Now when the driver is removed from the first interface, we get a double
free. I think.


Sean

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-08-01  9:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-01  8:32 [BUG] drivers: media: rc: imon.c: dangling pointer in function imon_init_intf1 nil Yi
2021-08-01  9:12 ` Sean Young

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox