From 9489667684fbed2114dcdd10cdee2e4d20d9f308 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Fri, 27 Mar 2015 12:41:17 +0100 Subject: [PATCH] greybus: operation: fix null-deref on operation destroy Incoming operations are created without a response message. If a protocol driver fails to send a response, or if the operation were to be cancelled before it has been fully processed, we get a null-pointer dereference when the operation is released. Signed-off-by: Johan Hovold Reviewed-by: Alex Elder Signed-off-by: Greg Kroah-Hartman --- drivers/staging/greybus/operation.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c index 17f4eab5c076..cb0c87aa4f98 100644 --- a/drivers/staging/greybus/operation.c +++ b/drivers/staging/greybus/operation.c @@ -607,7 +607,8 @@ static void _gb_operation_destroy(struct kref *kref) list_del(&operation->links); spin_unlock_irqrestore(&gb_operations_lock, flags); - gb_operation_message_free(operation->response); + if (operation->response) + gb_operation_message_free(operation->response); gb_operation_message_free(operation->request); kmem_cache_free(gb_operation_cache, operation); -- 2.20.1