greybus: operation: fix use-after-free in response receive path

Fix potential use-after-free in response receive path, due to lack of
reference counting when looking up operations on a connection.

Make sure to acquire a reference to the operation while holding the
connection-list lock.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c
index f8d7df9ad3c48c8a3fac8f5135d726ead1934912..8f99c8e17d701e8580dbdc877c07134bed81cbaf 100644 (file)
--- a/drivers/staging/greybus/operation.c
+++ b/drivers/staging/greybus/operation.c
@@ -114,6 +114,10 @@ int gb_operation_result(struct gb_operation *operation)
 }
 EXPORT_SYMBOL_GPL(gb_operation_result);
 
+/*
+ * Looks up an operation on a connection and returns a refcounted pointer if
+ * found, or NULL otherwise.
+ */
 static struct gb_operation *
 gb_operation_find(struct gb_connection *connection, u16 operation_id)
 {
@@ -124,6 +128,7 @@ gb_operation_find(struct gb_connection *connection, u16 operation_id)
        spin_lock_irqsave(&gb_operations_lock, flags);
        list_for_each_entry(operation, &connection->operations, links)
                if (operation->id == operation_id) {
+                       gb_operation_get(operation);
                        found = true;
                        break;
                }
@@ -795,6 +800,8 @@ static void gb_connection_recv_response(struct gb_connection *connection,
        /* The rest will be handled in work queue context */
        if (gb_operation_result_set(operation, errno))
                queue_work(gb_operation_workqueue, &operation->work);
+
+       gb_operation_put(operation);
 }
 
 /*