ALSA: 6fire: Fix double-free bug in usb6fire_fw_ezusb_upload()

We have a double-free bug in sound/usb/6fire/firmware.c::usb6fire_fw_ezusb_upload(). We already call release_firmware(fw) on line 258, so when we then do it again after usb6fire_fw_ezusb_write() returns <0, we have a double-free. Easily fixed by just removing the last call to release_firmware(). Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>

ALSA: 6fire: Fix double-free bug in usb6fire_fw_ezusb_upload()
We have a double-free bug in sound/usb/6fire/firmware.c::usb6fire_fw_ezusb_upload(). We already call release_firmware(fw) on line 258, so when we then do it again after usb6fire_fw_ezusb_write() returns <0, we have a double-free. Easily fixed by just removing the last call to release_firmware(). Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Jesper Juhl · Takashi Iwai
1 parent 2308f4add3
Showing 1 changed file with 0 additions and 1 deletions Side-by-side Diff
sound/usb/6fire/firmware.c
@@ -270,7 +270,6 @@
 	data = 0x00; /* resume ezusb cpu */
 	ret = usb6fire_fw_ezusb_write(device, 0xa0, 0xe600, &data, 1);
 	if (ret < 0) {
-		release_firmware(fw);
 		snd_printk(KERN_ERR PREFIX "unable to upload ezusb "
 				"firmware %s: end message.\n", fwname);
 		return ret;
...	...	@@ -270,7 +270,6 @@
270	270	data = 0x00; /* resume ezusb cpu */
271	271	ret = usb6fire_fw_ezusb_write(device, 0xa0, 0xe600, &data, 1);
272	272	if (ret < 0) {
273		- release_firmware(fw);
274	273	snd_printk(KERN_ERR PREFIX "unable to upload ezusb "
275	274	"firmware %s: end message.\n", fwname);
276	275	return ret;