usb: wusbcore: allow wa_xfer_destroy to clean up partially constructed xfers
authorThomas Pugliese <thomas.pugliese@gmail.com>
Thu, 26 Sep 2013 19:08:13 +0000 (14:08 -0500)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 26 Sep 2013 23:31:36 +0000 (16:31 -0700)
If __wa_xfer_setup fails, it can leave a partially constructed wa_xfer
object.  The error handling code eventually calls wa_xfer_destroy which
does not check for NULL before dereferencing xfer->seg which could cause
a kernel panic.  This change also makes sure to free xfer->seg which was
being leaked for all transfers before this change.

Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/wusbcore/wa-xfer.c

index 47cbfdd..d2c7b2b 100644 (file)
@@ -178,9 +178,15 @@ static void wa_xfer_destroy(struct kref *_xfer)
        if (xfer->seg) {
                unsigned cnt;
                for (cnt = 0; cnt < xfer->segs; cnt++) {
-                       usb_free_urb(xfer->seg[cnt]->dto_urb);
-                       usb_free_urb(&xfer->seg[cnt]->tr_urb);
+                       if (xfer->seg[cnt]) {
+                               if (xfer->seg[cnt]->dto_urb) {
+                                       kfree(xfer->seg[cnt]->dto_urb->sg);
+                                       usb_free_urb(xfer->seg[cnt]->dto_urb);
+                               }
+                               usb_free_urb(&xfer->seg[cnt]->tr_urb);
+                       }
                }
+               kfree(xfer->seg);
        }
        kfree(xfer);
 }