From: Johan Hovold <johan@hovoldconsulting.com>
Date: Sat, 26 Sep 2015 21:37:59 +0000 (-0700)
Subject: greybus: es1/2: fix use-after-free in completion callback
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=58c85123d9a1801af2558a0c925d90fe1599c27f;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git

greybus: es1/2: fix use-after-free in completion callback

Reset the hcpriv field before returning the message to greybus core in
the OUT-URB completion callback.

This fixes a use-after-free bug when sending responses to incoming
requests as the final reference is then dropped when the message is
returned.

Reported-by: Michael Scott <michael.scott@linaro.org>
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
---

diff --git a/drivers/staging/greybus/es1.c b/drivers/staging/greybus/es1.c
index f2853ff4535d..2c56aaf55b42 100644
--- a/drivers/staging/greybus/es1.c
+++ b/drivers/staging/greybus/es1.c
@@ -397,16 +397,16 @@ static void cport_out_callback(struct urb *urb)
 
 	gb_message_cport_clear(message->header);
 
+	spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
+	message->hcpriv = NULL;
+	spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
+
 	/*
 	 * Tell the submitter that the message send (attempt) is
 	 * complete, and report the status.
 	 */
 	greybus_message_sent(hd, message, status);
 
-	spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
-	message->hcpriv = NULL;
-	spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
-
 	free_urb(es1, urb);
 }
 
diff --git a/drivers/staging/greybus/es2.c b/drivers/staging/greybus/es2.c
index 8fee1162aea1..22b67d2ff9df 100644
--- a/drivers/staging/greybus/es2.c
+++ b/drivers/staging/greybus/es2.c
@@ -506,16 +506,16 @@ static void cport_out_callback(struct urb *urb)
 
 	gb_message_cport_clear(message->header);
 
+	spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
+	message->hcpriv = NULL;
+	spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
+
 	/*
 	 * Tell the submitter that the message send (attempt) is
 	 * complete, and report the status.
 	 */
 	greybus_message_sent(hd, message, status);
 
-	spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
-	message->hcpriv = NULL;
-	spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
-
 	free_urb(es1, urb);
 }