If __wa_xfer_setup fails, it can leave a partially constructed wa_xfer
object. The error handling code eventually calls wa_xfer_destroy which
does not check for NULL before dereferencing xfer->seg which could cause
a kernel panic. This change also makes sure to free xfer->seg which was
being leaked for all transfers before this change.
Signed-off-by: Thomas Pugliese <thomas.pugliese@xxxxxxxxx>
---
drivers/usb/wusbcore/wa-xfer.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
index 11d684c..dfb11bf 100644
--- a/drivers/usb/wusbcore/wa-xfer.c
+++ b/drivers/usb/wusbcore/wa-xfer.c
@@ -178,9 +178,15 @@ static void wa_xfer_destroy(struct kref *_xfer)
if (xfer->seg) {
unsigned cnt;
for (cnt = 0; cnt < xfer->segs; cnt++) {
- usb_free_urb(xfer->seg[cnt]->dto_urb);
- usb_free_urb(&xfer->seg[cnt]->tr_urb);
+ if (xfer->seg[cnt]) {
+ if (xfer->seg[cnt]->dto_urb) {
+ kfree(xfer->seg[cnt]->dto_urb->sg);
+ usb_free_urb(xfer->seg[cnt]->dto_urb);
+ }
+ usb_free_urb(&xfer->seg[cnt]->tr_urb);
+ }
}
+ kfree(xfer->seg);
}
kfree(xfer);
}
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
