firewire: fix panic in handle_at_packet
authorStefan Richter <stefanr@s5r6.in-berlin.de>
Sat, 15 Mar 2008 23:56:41 +0000 (00:56 +0100)
committerStefan Richter <stefanr@s5r6.in-berlin.de>
Thu, 20 Mar 2008 17:13:05 +0000 (18:13 +0100)
This fixes a use-after-free bug in the handling of split transactions.
The AT DMA handler of the request was occasionally executed after the
AR DMA handler of the response.  The AT DMA handler then accessed an
already freed packet.

Reported by Johannes Berg.
http://bugzilla.kernel.org/show_bug.cgi?id=9617

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Tested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Jarod Wilson <jwilson@redhat.com>
drivers/firewire/fw-transaction.c

index 99529e59a0b13e4f5173205f5ab4d338ce6ebe3b..e6f1bda3894040bb3c3bd97536a0243a6568a1ae 100644 (file)
@@ -736,6 +736,12 @@ fw_core_handle_response(struct fw_card *card, struct fw_packet *p)
                break;
        }
 
+       /*
+        * The response handler may be executed while the request handler
+        * is still pending.  Cancel the request handler.
+        */
+       card->driver->cancel_packet(card, &t->packet);
+
        t->callback(card, rcode, data, data_length, t->callback_data);
 }
 EXPORT_SYMBOL(fw_core_handle_response);