Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=36010f...
Commit:     36010ff6788a058147ae15a1aebf97fd30fa51a9
Parent:     94aca1dac6f6d21f4b07e4864baf7768cabcc6e7
Author:     Marcel Holtmann <marcel@holtmann.org>
AuthorDate: Mon Oct 6 12:22:51 2008 +0200
Committer:  Marcel Holtmann <marcel@holtmann.org>
CommitDate: Mon Oct 6 12:22:51 2008 +0200

    [Bluetooth] Fix double frees on error paths of btusb and bpa10x drivers
    
    The transfer buffer of an URB will be automatically freed when using
    the URB_FREE_BUFFER transfer_flag. So the extra calls to kfree() will
    cause a double free.
    
    Reported-by: Justin Mattock <justinmattock@gmail.com>
    Signed-off-by: Rabin Vincent <rabin@rab.in>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---
 drivers/bluetooth/bpa10x.c |    2 --
 drivers/bluetooth/btusb.c  |    3 ---
 2 files changed, 0 insertions(+), 5 deletions(-)

diff --git a/drivers/bluetooth/bpa10x.c b/drivers/bluetooth/bpa10x.c
index 1e55a65..32f3a8e 100644
--- a/drivers/bluetooth/bpa10x.c
+++ b/drivers/bluetooth/bpa10x.c
@@ -256,7 +256,6 @@ static inline int bpa10x_submit_intr_urb(struct hci_dev *hdev)
 		BT_ERR("%s urb %p submission failed (%d)",
 						hdev->name, urb, -err);
 		usb_unanchor_urb(urb);
-		kfree(buf);
 	}
 
 	usb_free_urb(urb);
@@ -298,7 +297,6 @@ static inline int bpa10x_submit_bulk_urb(struct hci_dev *hdev)
 		BT_ERR("%s urb %p submission failed (%d)",
 						hdev->name, urb, -err);
 		usb_unanchor_urb(urb);
-		kfree(buf);
 	}
 
 	usb_free_urb(urb);
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 29ae998..262e9be 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -271,7 +271,6 @@ static int btusb_submit_intr_urb(struct hci_dev *hdev)
 		BT_ERR("%s urb %p submission failed (%d)",
 						hdev->name, urb, -err);
 		usb_unanchor_urb(urb);
-		kfree(buf);
 	}
 
 	usb_free_urb(urb);
@@ -354,7 ...
[ message continues ]