usb: wusbcore: allow wa_xfer_destroy to clean up partially constructed xfers

If __wa_xfer_setup fails, it can leave a partially constructed wa_xfer object. The error handling code eventually calls wa_xfer_destroy which does not check for NULL before dereferencing xfer->seg which could cause a kernel panic. This change also makes sure to free xfer->seg which was being leaked for all transfers before this change. Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: wusbcore: allow wa_xfer_destroy to clean up partially constructed xfers
If __wa_xfer_setup fails, it can leave a partially constructed wa_xfer object. The error handling code eventually calls wa_xfer_destroy which does not check for NULL before dereferencing xfer->seg which could cause a kernel panic. This change also makes sure to free xfer->seg which was being leaked for all transfers before this change. Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
d993670c · Thomas Pugliese · Greg Kroah-Hartman · 0367eef2 · d993670c
Commit d993670c authored Sep 26, 2013 by Thomas Pugliese Committed by Greg Kroah-Hartman Sep 26, 2013
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

drivers/usb/wusbcore/wa-xfer.c drivers/usb/wusbcore/wa-xfer.c +8 -2

No files found.
--- a/drivers/usb/wusbcore/wa-xfer.c
+++ b/drivers/usb/wusbcore/wa-xfer.c
@@ -178,10 +178,16 @@ static void wa_xfer_destroy(struct kref *_xfer)
 	if (xfer->seg) {
 		unsigned cnt;
 		for (cnt = 0; cnt < xfer->segs; cnt++) {
+			if (xfer->seg[cnt]) {
+				if (xfer->seg[cnt]->dto_urb) {
+					kfree(xfer->seg[cnt]->dto_urb->sg);
 					usb_free_urb(xfer->seg[cnt]->dto_urb);
+				}
 				usb_free_urb(&xfer->seg[cnt]->tr_urb);
 			}
 		}
+		kfree(xfer->seg);
+	}
 	kfree(xfer);
 }