From fffc151381473384629d78cb89b7f7bbb9dc53b0 Mon Sep 17 00:00:00 2001 From: Johan Hovold Date: Tue, 14 Jul 2015 15:43:23 +0200 Subject: [PATCH] greybus: operation: fix another cancellation use-after-free An incoming operation could already be scheduled even if gb_operation_result_set succeeds as its initial status is -EINPROGRESS. Avoid potential use-after-free by never dropping the reference count for incoming operations as part of cancellation. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/staging/greybus/operation.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c index b78c55fac8cc..41aec7647b2b 100644 --- a/drivers/staging/greybus/operation.c +++ b/drivers/staging/greybus/operation.c @@ -853,12 +853,17 @@ void gb_connection_recv(struct gb_connection *connection, */ void gb_operation_cancel(struct gb_operation *operation, int errno) { - if (gb_operation_result_set(operation, errno)) { - gb_message_cancel(operation->request); - gb_operation_put(operation); - } else if (gb_operation_is_incoming(operation)) { - if (!gb_operation_is_unidirectional(operation)) + if (gb_operation_is_incoming(operation)) { + /* Cancel response if it has been allocated */ + if (!gb_operation_result_set(operation, errno) && + !gb_operation_is_unidirectional(operation)) { gb_message_cancel(operation->response); + } + } else { + if (gb_operation_result_set(operation, errno)) { + gb_message_cancel(operation->request); + gb_operation_put(operation); + } } } EXPORT_SYMBOL_GPL(gb_operation_cancel); -- 2.20.1