From 0581f28efb86d8eb7e7f6baf712578477f7c868e Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Thu, 9 Jul 2015 15:17:59 +0200 Subject: [PATCH] greybus: operation: fix use-after-free in response receive path Fix potential use-after-free in response receive path, due to lack of reference counting when looking up operations on a connection. Make sure to acquire a reference to the operation while holding the connection-list lock. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/staging/greybus/operation.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c index f8d7df9ad3c4..8f99c8e17d70 100644 --- a/drivers/staging/greybus/operation.c +++ b/drivers/staging/greybus/operation.c @@ -114,6 +114,10 @@ int gb_operation_result(struct gb_operation *operation) } EXPORT_SYMBOL_GPL(gb_operation_result); +/* + * Looks up an operation on a connection and returns a refcounted pointer if + * found, or NULL otherwise. + */ static struct gb_operation * gb_operation_find(struct gb_connection *connection, u16 operation_id) { @@ -124,6 +128,7 @@ gb_operation_find(struct gb_connection *connection, u16 operation_id) spin_lock_irqsave(&gb_operations_lock, flags); list_for_each_entry(operation, &connection->operations, links) if (operation->id == operation_id) { + gb_operation_get(operation); found = true; break; } @@ -795,6 +800,8 @@ static void gb_connection_recv_response(struct gb_connection *connection, /* The rest will be handled in work queue context */ if (gb_operation_result_set(operation, errno)) queue_work(gb_operation_workqueue, &operation->work); + + gb_operation_put(operation); } /* -- 2.20.1