firewire: sbp2: fix freeing of unallocated memory
If a target writes invalid status (typically status of a command that already timed out), firewire-sbp2 attempts to put away an ORB that doesn't exist. https://bugzilla.redhat.com/show_bug.cgi?id=519772 Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
This commit is contained in:
parent
4fe0badd58
commit
baed6b82d9
|
@ -456,12 +456,12 @@ static void sbp2_status_write(struct fw_card *card, struct fw_request *request,
|
||||||
}
|
}
|
||||||
spin_unlock_irqrestore(&card->lock, flags);
|
spin_unlock_irqrestore(&card->lock, flags);
|
||||||
|
|
||||||
if (&orb->link != &lu->orb_list)
|
if (&orb->link != &lu->orb_list) {
|
||||||
orb->callback(orb, &status);
|
orb->callback(orb, &status);
|
||||||
else
|
|
||||||
fw_error("status write for unknown orb\n");
|
|
||||||
|
|
||||||
kref_put(&orb->kref, free_orb);
|
kref_put(&orb->kref, free_orb);
|
||||||
|
} else {
|
||||||
|
fw_error("status write for unknown orb\n");
|
||||||
|
}
|
||||||
|
|
||||||
fw_send_response(card, request, RCODE_COMPLETE);
|
fw_send_response(card, request, RCODE_COMPLETE);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue