diff options
| author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2009-09-03 23:07:35 +0200 |
|---|---|---|
| committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2009-09-05 15:59:34 +0200 |
| commit | baed6b82d9f160184c1c14cdb4accb08f3eb6b87 (patch) | |
| tree | eaeee0797d802462447d5aefbb09ddbdefa69986 /drivers | |
| parent | 4fe0badd5882c64dc2dcd8893f9b85db63339736 (diff) | |
| download | op-kernel-dev-baed6b82d9f160184c1c14cdb4accb08f3eb6b87.zip op-kernel-dev-baed6b82d9f160184c1c14cdb4accb08f3eb6b87.tar.gz | |
firewire: sbp2: fix freeing of unallocated memory
If a target writes invalid status (typically status of a command that
already timed out), firewire-sbp2 attempts to put away an ORB that
doesn't exist. https://bugzilla.redhat.com/show_bug.cgi?id=519772
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/firewire/sbp2.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/firewire/sbp2.c b/drivers/firewire/sbp2.c index d27cb05..05f0c0c 100644 --- a/drivers/firewire/sbp2.c +++ b/drivers/firewire/sbp2.c @@ -456,12 +456,12 @@ static void sbp2_status_write(struct fw_card *card, struct fw_request *request, } spin_unlock_irqrestore(&card->lock, flags); - if (&orb->link != &lu->orb_list) + if (&orb->link != &lu->orb_list) { orb->callback(orb, &status); - else + kref_put(&orb->kref, free_orb); + } else { fw_error("status write for unknown orb\n"); - - kref_put(&orb->kref, free_orb); + } fw_send_response(card, request, RCODE_COMPLETE); } |
