iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

greybus: operation: fix another cancellation use-after-free

Browse Source 
An incoming operation could already be scheduled even if
gb_operation_result_set succeeds as its initial status is -EINPROGRESS.

Avoid potential use-after-free by never dropping the reference count for
incoming operations as part of cancellation.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This commit is contained in:
Johan Hovold 2015-07-14 15:43:23 +02:00 committed by Greg Kroah-Hartman
parent a5192032a2
commit fffc151381
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
drivers/staging/greybus/operation.c
View File

@ -853,12 +853,17 @@ void gb_connection_recv(struct gb_connection *connection,
*/
void gb_operation_cancel(struct gb_operation *operation, int errno)
{
if (gb_operation_result_set(operation, errno)) {
gb_message_cancel(operation->request);
gb_operation_put(operation);
} else if (gb_operation_is_incoming(operation)) {
if (!gb_operation_is_unidirectional(operation))
if (gb_operation_is_incoming(operation)) {
/* Cancel response if it has been allocated */
if (!gb_operation_result_set(operation, errno) &&
!gb_operation_is_unidirectional(operation)) {
gb_message_cancel(operation->response);
}
} else {
if (gb_operation_result_set(operation, errno)) {
gb_message_cancel(operation->request);
gb_operation_put(operation);
}
}
}
EXPORT_SYMBOL_GPL(gb_operation_cancel);