From 58c85123d9a1801af2558a0c925d90fe1599c27f Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Sat, 26 Sep 2015 14:37:59 -0700 Subject: [PATCH] greybus: es1/2: fix use-after-free in completion callback Reset the hcpriv field before returning the message to greybus core in the OUT-URB completion callback. This fixes a use-after-free bug when sending responses to incoming requests as the final reference is then dropped when the message is returned. Reported-by: Michael Scott Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/staging/greybus/es1.c | 8 ++++---- drivers/staging/greybus/es2.c | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/staging/greybus/es1.c b/drivers/staging/greybus/es1.c index f2853ff..2c56aaf 100644 --- a/drivers/staging/greybus/es1.c +++ b/drivers/staging/greybus/es1.c @@ -397,16 +397,16 @@ static void cport_out_callback(struct urb *urb) gb_message_cport_clear(message->header); + spin_lock_irqsave(&es1->cport_out_urb_lock, flags); + message->hcpriv = NULL; + spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags); + /* * Tell the submitter that the message send (attempt) is * complete, and report the status. */ greybus_message_sent(hd, message, status); - spin_lock_irqsave(&es1->cport_out_urb_lock, flags); - message->hcpriv = NULL; - spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags); - free_urb(es1, urb); } diff --git a/drivers/staging/greybus/es2.c b/drivers/staging/greybus/es2.c index 8fee116..22b67d2 100644 --- a/drivers/staging/greybus/es2.c +++ b/drivers/staging/greybus/es2.c @@ -506,16 +506,16 @@ static void cport_out_callback(struct urb *urb) gb_message_cport_clear(message->header); + spin_lock_irqsave(&es1->cport_out_urb_lock, flags); + message->hcpriv = NULL; + spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags); + /* * Tell the submitter that the message send (attempt) is * complete, and report the status. */ greybus_message_sent(hd, message, status); - spin_lock_irqsave(&es1->cport_out_urb_lock, flags); - message->hcpriv = NULL; - spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags); - free_urb(es1, urb); } -- 2.7.4