firewire: sbp2: fix freeing of unallocated memory

If a target writes invalid status (typically status of a command that already timed out), firewire-sbp2 attempts to put away an ORB that doesn't exist. https://bugzilla.redhat.com/show_bug.cgi?id=519772Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

firewire: sbp2: fix freeing of unallocated memory
If a target writes invalid status (typically status of a command that already timed out), firewire-sbp2 attempts to put away an ORB that doesn't exist. https://bugzilla.redhat.com/show_bug.cgi?id=519772Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
baed6b82 · Stefan Richter · 4fe0badd · baed6b82
Commit baed6b82 authored Sep 03, 2009 by Stefan Richter
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

drivers/firewire/sbp2.c drivers/firewire/sbp2.c +4 -4

No files found.
--- a/drivers/firewire/sbp2.c
+++ b/drivers/firewire/sbp2.c
@@ -456,12 +456,12 @@ static void sbp2_status_write(struct fw_card *card, struct fw_request *request,
 	}
 	spin_unlock_irqrestore(&card->lock, flags);
-	if (&orb->link != &lu->orb_list)
+	if (&orb->link != &lu->orb_list) {
 		orb->callback(orb, &status);
-	else
+		kref_put(&orb->kref, free_orb);
+	} else {
 		fw_error("status write for unknown orb\n");
+	}
-	kref_put(&orb->kref, free_orb);
 	fw_send_response(card, request, RCODE_COMPLETE);
 }