From 6741448eb01a1844b78c83fa8faf0c95524fc09b Mon Sep 17 00:00:00 2001
From: Thomas Pugliese <thomas.pugliese@gmail.com>
Date: Thu, 26 Sep 2013 14:08:16 -0500
Subject: [PATCH] usb: wusbcore: set pointers to NULL after freeing in error
 cases

This patch fixes two cases where error handling code was freeing memory
but not setting the pointer to NULL.  This could lead to a double free
in the HWA shutdown code.

Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/wusbcore/wa-xfer.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
index 61b0597c399ba..0b27146b5bc18 100644
--- a/drivers/usb/wusbcore/wa-xfer.c
+++ b/drivers/usb/wusbcore/wa-xfer.c
@@ -1560,6 +1560,7 @@ static void wa_xfer_result_chew(struct wahc *wa, struct wa_xfer *xfer,
 			xfer, seg_idx, result);
 	seg->result = result;
 	kfree(wa->buf_in_urb->sg);
+	wa->buf_in_urb->sg = NULL;
 error_sg_alloc:
 	__wa_xfer_abort(xfer);
 error_complete:
@@ -1859,6 +1860,7 @@ void wa_handle_notif_xfer(struct wahc *wa, struct wa_notif_hdr *notif_hdr)
 
 error_dti_urb_submit:
 	usb_put_urb(wa->buf_in_urb);
+	wa->buf_in_urb = NULL;
 error_buf_in_urb_alloc:
 	usb_put_urb(wa->dti_urb);
 	wa->dti_urb = NULL;
-- 
GitLab