From: Stefan Richter Date: Sat, 15 Mar 2008 23:56:41 +0000 (+0100) Subject: firewire: fix panic in handle_at_packet X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=10a4c735515a5afc317abe4d697a4c95f6d9d764;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git firewire: fix panic in handle_at_packet This fixes a use-after-free bug in the handling of split transactions. The AT DMA handler of the request was occasionally executed after the AR DMA handler of the response. The AT DMA handler then accessed an already freed packet. Reported by Johannes Berg. http://bugzilla.kernel.org/show_bug.cgi?id=9617 Signed-off-by: Stefan Richter Tested-by: Johannes Berg Signed-off-by: Jarod Wilson --- diff --git a/drivers/firewire/fw-transaction.c b/drivers/firewire/fw-transaction.c index 99529e59a0b1..e6f1bda38940 100644 --- a/drivers/firewire/fw-transaction.c +++ b/drivers/firewire/fw-transaction.c @@ -736,6 +736,12 @@ fw_core_handle_response(struct fw_card *card, struct fw_packet *p) break; } + /* + * The response handler may be executed while the request handler + * is still pending. Cancel the request handler. + */ + card->driver->cancel_packet(card, &t->packet); + t->callback(card, rcode, data, data_length, t->callback_data); } EXPORT_SYMBOL(fw_core_handle_response);