diff options
author | Thomas Pugliese <thomas.pugliese@gmail.com> | 2013-09-26 14:08:13 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-09-26 16:31:36 -0700 |
commit | d993670ca97f646db1ef9b345e78ecfd3d6f0143 (patch) | |
tree | 55a43edb203b2c0695454b854ed03e989ff4f42d /drivers/usb/wusbcore | |
parent | 0367eef281006923bd35ee323cdc5d21179afe5a (diff) |
usb: wusbcore: allow wa_xfer_destroy to clean up partially constructed xfers
If __wa_xfer_setup fails, it can leave a partially constructed wa_xfer
object. The error handling code eventually calls wa_xfer_destroy which
does not check for NULL before dereferencing xfer->seg which could cause
a kernel panic. This change also makes sure to free xfer->seg which was
being leaked for all transfers before this change.
Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/wusbcore')
-rw-r--r-- | drivers/usb/wusbcore/wa-xfer.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c index 47cbfddad159..d2c7b2bb17c1 100644 --- a/drivers/usb/wusbcore/wa-xfer.c +++ b/drivers/usb/wusbcore/wa-xfer.c @@ -178,9 +178,15 @@ static void wa_xfer_destroy(struct kref *_xfer) if (xfer->seg) { unsigned cnt; for (cnt = 0; cnt < xfer->segs; cnt++) { - usb_free_urb(xfer->seg[cnt]->dto_urb); - usb_free_urb(&xfer->seg[cnt]->tr_urb); + if (xfer->seg[cnt]) { + if (xfer->seg[cnt]->dto_urb) { + kfree(xfer->seg[cnt]->dto_urb->sg); + usb_free_urb(xfer->seg[cnt]->dto_urb); + } + usb_free_urb(&xfer->seg[cnt]->tr_urb); + } } + kfree(xfer->seg); } kfree(xfer); } |