From: Stefan Richter Date: Thu, 3 Sep 2009 21:07:35 +0000 (+0200) Subject: firewire: sbp2: fix freeing of unallocated memory X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=baed6b82d9f160184c1c14cdb4accb08f3eb6b87;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git firewire: sbp2: fix freeing of unallocated memory If a target writes invalid status (typically status of a command that already timed out), firewire-sbp2 attempts to put away an ORB that doesn't exist. https://bugzilla.redhat.com/show_bug.cgi?id=519772 Signed-off-by: Stefan Richter --- diff --git a/drivers/firewire/sbp2.c b/drivers/firewire/sbp2.c index d27cb058da82..05f0c0c55f4a 100644 --- a/drivers/firewire/sbp2.c +++ b/drivers/firewire/sbp2.c @@ -456,12 +456,12 @@ static void sbp2_status_write(struct fw_card *card, struct fw_request *request, } spin_unlock_irqrestore(&card->lock, flags); - if (&orb->link != &lu->orb_list) + if (&orb->link != &lu->orb_list) { orb->callback(orb, &status); - else + kref_put(&orb->kref, free_orb); + } else { fw_error("status write for unknown orb\n"); - - kref_put(&orb->kref, free_orb); + } fw_send_response(card, request, RCODE_COMPLETE); }