summaryrefslogtreecommitdiff
path: root/drivers/usb/wusbcore
diff options
context:
space:
mode:
authorThomas Pugliese <thomas.pugliese@gmail.com>2013-09-26 14:08:13 -0500
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-09-26 16:31:36 -0700
commitd993670ca97f646db1ef9b345e78ecfd3d6f0143 (patch)
tree55a43edb203b2c0695454b854ed03e989ff4f42d /drivers/usb/wusbcore
parent0367eef281006923bd35ee323cdc5d21179afe5a (diff)
usb: wusbcore: allow wa_xfer_destroy to clean up partially constructed xfers
If __wa_xfer_setup fails, it can leave a partially constructed wa_xfer object. The error handling code eventually calls wa_xfer_destroy which does not check for NULL before dereferencing xfer->seg which could cause a kernel panic. This change also makes sure to free xfer->seg which was being leaked for all transfers before this change. Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb/wusbcore')
-rw-r--r--drivers/usb/wusbcore/wa-xfer.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
index 47cbfddad159..d2c7b2bb17c1 100644
--- a/drivers/usb/wusbcore/wa-xfer.c
+++ b/drivers/usb/wusbcore/wa-xfer.c
@@ -178,9 +178,15 @@ static void wa_xfer_destroy(struct kref *_xfer)
if (xfer->seg) {
unsigned cnt;
for (cnt = 0; cnt < xfer->segs; cnt++) {
- usb_free_urb(xfer->seg[cnt]->dto_urb);
- usb_free_urb(&xfer->seg[cnt]->tr_urb);
+ if (xfer->seg[cnt]) {
+ if (xfer->seg[cnt]->dto_urb) {
+ kfree(xfer->seg[cnt]->dto_urb->sg);
+ usb_free_urb(xfer->seg[cnt]->dto_urb);
+ }
+ usb_free_urb(&xfer->seg[cnt]->tr_urb);
+ }
}
+ kfree(xfer->seg);
}
kfree(xfer);
}