From c6e5dacfee514baa858673e9ce204b51aadae1ff Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Fri, 22 Jan 2016 13:31:47 +0000
Subject: If usb_fill_udf_task() failed to fill the struct, udf_data still
 contained the pointer it received from user land.  usbioctl() has to reset
 it, otherwise user supplied data is passed to free(). OK mpi@

---
 sys/dev/usb/usb.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'sys/dev/usb/usb.c')

diff --git a/sys/dev/usb/usb.c b/sys/dev/usb/usb.c
index 24be6326ed2..7f991591620 100644
--- a/sys/dev/usb/usb.c
+++ b/sys/dev/usb/usb.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: usb.c,v 1.108 2015/09/01 10:00:26 mpi Exp $	*/
+/*	$OpenBSD: usb.c,v 1.109 2016/01/22 13:31:47 bluhm Exp $	*/
 /*	$NetBSD: usb.c,v 1.77 2003/01/01 00:10:26 thorpej Exp $	*/
 
 /*
@@ -776,6 +776,7 @@ usbioctl(dev_t devt, u_long cmd, caddr_t data, int flag, struct proc *p)
 		udf->udf_bus = unit;
 
 		save_udf = *udf;
+		udf->udf_data = NULL;
 		usb_init_task(&udf_task, usb_fill_udf_task, udf,
 		    USB_TASK_TYPE_GENERIC);
 		usb_add_task(sc->sc_bus->root_hub, &udf_task);
-- 
cgit v1.2.3-59-g8ed1b