greybus: operation: fix null-deref on operation destroy

Incoming operations are created without a response message. If a protocol driver fails to send a response, or if the operation were to be cancelled before it has been fully processed, we get a null-pointer dereference when the operation is released. Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
author: Johan Hovold <johan@hovoldconsulting.com> 2015-03-27 14:41:17 +0300
committer: Greg Kroah-Hartman <greg@kroah.com> 2015-03-30 16:13:01 +0300
commit: 9489667684fbed2114dcdd10cdee2e4d20d9f308 (patch)
tree: ae4b83ad6f44d03fcccae522e3b80d3f5f278b36 /drivers/staging/greybus/operation.c
parent: 772f3e90605641592435ec7c0a960e858925a0fe (diff)
download: linux-9489667684fbed2114dcdd10cdee2e4d20d9f308.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c
index 17f4eab5c076..cb0c87aa4f98 100644
--- a/drivers/staging/greybus/operation.c
+++ b/drivers/staging/greybus/operation.c
@@ -607,7 +607,8 @@ static void _gb_operation_destroy(struct kref *kref)
 	list_del(&operation->links);
 	spin_unlock_irqrestore(&gb_operations_lock, flags);
 
-	gb_operation_message_free(operation->response);
+	if (operation->response)
+		gb_operation_message_free(operation->response);
 	gb_operation_message_free(operation->request);
 
 	kmem_cache_free(gb_operation_cache, operation);
author	Johan Hovold <johan@hovoldconsulting.com>	2015-03-27 14:41:17 +0300
committer	Greg Kroah-Hartman <greg@kroah.com>	2015-03-30 16:13:01 +0300
commit	9489667684fbed2114dcdd10cdee2e4d20d9f308 (patch)
tree	ae4b83ad6f44d03fcccae522e3b80d3f5f278b36 /drivers/staging/greybus/operation.c
parent	772f3e90605641592435ec7c0a960e858925a0fe (diff)
download	linux-9489667684fbed2114dcdd10cdee2e4d20d9f308.tar.xz