Gitiles
Code Review Sign In
LeafOS / LeafOS-Devices / android_kernel_samsung_gta4xl / d993670ca97f646db1ef9b345e78ecfd3d6f0143^! / .
commitd993670ca97f646db1ef9b345e78ecfd3d6f0143[log] [tgz]
authorThomas Pugliese <thomas.pugliese@gmail.com>Thu Sep 26 14:08:13 2013 -0500
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Thu Sep 26 16:31:36 2013 -0700
tree55a43edb203b2c0695454b854ed03e989ff4f42d
parent0367eef281006923bd35ee323cdc5d21179afe5a [diff]
usb: wusbcore: allow wa_xfer_destroy to clean up partially constructed xfers

If __wa_xfer_setup fails, it can leave a partially constructed wa_xfer
object.  The error handling code eventually calls wa_xfer_destroy which
does not check for NULL before dereferencing xfer->seg which could cause
a kernel panic.  This change also makes sure to free xfer->seg which was
being leaked for all transfers before this change.

Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
index 47cbfdd..d2c7b2b 100644
--- a/drivers/usb/wusbcore/wa-xfer.c
+++ b/drivers/usb/wusbcore/wa-xfer.c

@@ -178,9 +178,15 @@
 	if (xfer->seg) {
 		unsigned cnt;
 		for (cnt = 0; cnt < xfer->segs; cnt++) {
-			usb_free_urb(xfer->seg[cnt]->dto_urb);
-			usb_free_urb(&xfer->seg[cnt]->tr_urb);
+			if (xfer->seg[cnt]) {
+				if (xfer->seg[cnt]->dto_urb) {
+					kfree(xfer->seg[cnt]->dto_urb->sg);
+					usb_free_urb(xfer->seg[cnt]->dto_urb);
+				}
+				usb_free_urb(&xfer->seg[cnt]->tr_urb);
+			}
 		}
+		kfree(xfer->seg);
 	}
 	kfree(xfer);
 }