greybus: operation: fix null-deref on operation destroy

Incoming operations are created without a response message. If a
protocol driver fails to send a response, or if the operation were to be
cancelled before it has been fully processed, we get a null-pointer
dereference when the operation is released.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c
index 17f4eab5c07689f00918eb610b44f43f2303fc55..cb0c87aa4f986c6c2a1f4d73d6268e8d1f0dde17 100644 (file)
--- a/drivers/staging/greybus/operation.c
+++ b/drivers/staging/greybus/operation.c
@@ -607,7 +607,8 @@ static void _gb_operation_destroy(struct kref *kref)
        list_del(&operation->links);
        spin_unlock_irqrestore(&gb_operations_lock, flags);
 
-       gb_operation_message_free(operation->response);
+       if (operation->response)
+               gb_operation_message_free(operation->response);
        gb_operation_message_free(operation->request);
 
        kmem_cache_free(gb_operation_cache, operation);