greybus: operation: fix null-deref on operation cancel
authorJohan Hovold <johan@hovoldconsulting.com>
Fri, 27 Mar 2015 11:41:16 +0000 (12:41 +0100)
committerGreg Kroah-Hartman <greg@kroah.com>
Mon, 30 Mar 2015 13:13:01 +0000 (15:13 +0200)
Incoming operations are created without a response message. If an
operation were to be cancelled before it has been fully processed (e.g.
on connection destroy), we would get a null-pointer dereference in
gb_operation_cancel.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
drivers/staging/greybus/operation.c

index f194b1eeb539962e8c98d8f7296ffc6423ec471a..17f4eab5c07689f00918eb610b44f43f2303fc55 100644 (file)
@@ -911,7 +911,8 @@ void gb_operation_cancel(struct gb_operation *operation, int errno)
 {
        if (gb_operation_result_set(operation, errno)) {
                gb_message_cancel(operation->request);
-               gb_message_cancel(operation->response);
+               if (operation->response)
+                       gb_message_cancel(operation->response);
        }
        gb_operation_put(operation);
 }