tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
rtl818x: fix potential use after free
entry is released via usb_put_urb just after calling usb_submit_urb.
However, entry is used if the submission fails, resulting in a use after
free bug. The patch fixes this.
Signed-off-by: Pan Bian <bianpan2016@163.com>
ACKed-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
authored by
Pan Bian
and committed by
Kalle Valo
afbb1947
662a7b07
+2
-1
+2
-1
drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+2
-1
drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
···
444
444
skb_queue_tail(&priv->rx_queue, skb);
445
445
usb_anchor_urb(entry, &priv->anchored);
446
446
ret = usb_submit_urb(entry, GFP_KERNEL);
447
-
usb_put_urb(entry);
448
447
if (ret) {
449
448
skb_unlink(skb, &priv->rx_queue);
450
449
usb_unanchor_urb(entry);
450
+
usb_put_urb(entry);
451
451
goto err;
452
452
}
453
+
usb_put_urb(entry);
453
454
}
454
455
return ret;
455
456