aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Richter <stefanr@s5r6.in-berlin.de>2009-09-03 23:07:35 +0200
committerStefan Richter <stefanr@s5r6.in-berlin.de>2009-09-05 15:59:34 +0200
commitbaed6b82d9f160184c1c14cdb4accb08f3eb6b87 (patch)
treeeaeee0797d802462447d5aefbb09ddbdefa69986
parent4fe0badd5882c64dc2dcd8893f9b85db63339736 (diff)
downloadkernel_samsung_smdk4412-baed6b82d9f160184c1c14cdb4accb08f3eb6b87.tar.gz
kernel_samsung_smdk4412-baed6b82d9f160184c1c14cdb4accb08f3eb6b87.tar.bz2
kernel_samsung_smdk4412-baed6b82d9f160184c1c14cdb4accb08f3eb6b87.zip
firewire: sbp2: fix freeing of unallocated memory
If a target writes invalid status (typically status of a command that already timed out), firewire-sbp2 attempts to put away an ORB that doesn't exist. https://bugzilla.redhat.com/show_bug.cgi?id=519772 Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
-rw-r--r--drivers/firewire/sbp2.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/firewire/sbp2.c b/drivers/firewire/sbp2.c
index d27cb058da8..05f0c0c55f4 100644
--- a/drivers/firewire/sbp2.c
+++ b/drivers/firewire/sbp2.c
@@ -456,12 +456,12 @@ static void sbp2_status_write(struct fw_card *card, struct fw_request *request,
}
spin_unlock_irqrestore(&card->lock, flags);
- if (&orb->link != &lu->orb_list)
+ if (&orb->link != &lu->orb_list) {
orb->callback(orb, &status);
- else
+ kref_put(&orb->kref, free_orb);
+ } else {
fw_error("status write for unknown orb\n");
-
- kref_put(&orb->kref, free_orb);
+ }
fw_send_response(card, request, RCODE_COMPLETE);
}