greybus: operation: fix null-deref on operation destroy

Incoming operations are created without a response message. If a protocol driver fails to send a response, or if the operation were to be cancelled before it has been fully processed, we get a null-pointer dereference when the operation is released. Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

greybus: operation: fix null-deref on operation destroy
Incoming operations are created without a response message. If a protocol driver fails to send a response, or if the operation were to be cancelled before it has been fully processed, we get a null-pointer dereference when the operation is released. Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Alex Elder <elder@linaro.org> Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
94896676 · Johan Hovold · Greg Kroah-Hartman · 772f3e90 · 94896676
Commit 94896676 authored Mar 27, 2015 by Johan Hovold Committed by Greg Kroah-Hartman Mar 30, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

drivers/staging/greybus/operation.c drivers/staging/greybus/operation.c +2 -1

No files found.
--- a/drivers/staging/greybus/operation.c
+++ b/drivers/staging/greybus/operation.c
@@ -607,7 +607,8 @@ static void _gb_operation_destroy(struct kref *kref)
 	list_del(&operation->links);
 	spin_unlock_irqrestore(&gb_operations_lock, flags);
-	gb_operation_message_free(operation->response);
+	if (operation->response)
+		gb_operation_message_free(operation->response);
 	gb_operation_message_free(operation->request);
 	kmem_cache_free(gb_operation_cache, operation);