From: Johan Hovold Date: Thu, 9 Jul 2015 13:17:59 +0000 (+0200) Subject: greybus: operation: fix use-after-free in response receive path X-Git-Tag: v4.14-rc1~2366^2~378^2~21^2~1397 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0581f28efb86d8eb7e7f6baf712578477f7c868e;p=platform%2Fkernel%2Flinux-rpi.git greybus: operation: fix use-after-free in response receive path Fix potential use-after-free in response receive path, due to lack of reference counting when looking up operations on a connection. Make sure to acquire a reference to the operation while holding the connection-list lock. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c index f8d7df9..8f99c8e 100644 --- a/drivers/staging/greybus/operation.c +++ b/drivers/staging/greybus/operation.c @@ -114,6 +114,10 @@ int gb_operation_result(struct gb_operation *operation) } EXPORT_SYMBOL_GPL(gb_operation_result); +/* + * Looks up an operation on a connection and returns a refcounted pointer if + * found, or NULL otherwise. + */ static struct gb_operation * gb_operation_find(struct gb_connection *connection, u16 operation_id) { @@ -124,6 +128,7 @@ gb_operation_find(struct gb_connection *connection, u16 operation_id) spin_lock_irqsave(&gb_operations_lock, flags); list_for_each_entry(operation, &connection->operations, links) if (operation->id == operation_id) { + gb_operation_get(operation); found = true; break; } @@ -795,6 +800,8 @@ static void gb_connection_recv_response(struct gb_connection *connection, /* The rest will be handled in work queue context */ if (gb_operation_result_set(operation, errno)) queue_work(gb_operation_workqueue, &operation->work); + + gb_operation_put(operation); } /*