greybus: es1/2: fix use-after-free in completion callback

Reset the hcpriv field before returning the message to greybus core in the OUT-URB completion callback. This fixes a use-after-free bug when sending responses to incoming requests as the final reference is then dropped when the message is returned. Reported-by: Michael Scott <michael.scott@linaro.org> Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2015-09-26 14:37:59 -07:00 · 2015-09-26 14:37:59 -07:00 · 58c85123d9
commit 58c85123d9
parent 336dfeaba1
2 changed files with 8 additions and 8 deletions
--- a/drivers/staging/greybus/es1.c
+++ b/drivers/staging/greybus/es1.c
@ -397,16 +397,16 @@ static void cport_out_callback(struct urb *urb)
 	gb_message_cport_clear(message->header);
 	spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
 	message->hcpriv = NULL;
 	spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
 	/*
 	 * Tell the submitter that the message send (attempt) is
 	 * complete, and report the status.
 	 */
 	greybus_message_sent(hd, message, status);
 	spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
 	message->hcpriv = NULL;
 	spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
 	free_urb(es1, urb);
 }
--- a/drivers/staging/greybus/es2.c
+++ b/drivers/staging/greybus/es2.c
@ -506,16 +506,16 @@ static void cport_out_callback(struct urb *urb)
 	gb_message_cport_clear(message->header);
 	spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
 	message->hcpriv = NULL;
 	spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
 	/*
 	 * Tell the submitter that the message send (attempt) is
 	 * complete, and report the status.
 	 */
 	greybus_message_sent(hd, message, status);
 	spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
 	message->hcpriv = NULL;
 	spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
 	free_urb(es1, urb);
 }