Commit 58c85123 authored by Johan Hovold's avatar Johan Hovold Committed by Greg Kroah-Hartman

greybus: es1/2: fix use-after-free in completion callback

Reset the hcpriv field before returning the message to greybus core in
the OUT-URB completion callback.

This fixes a use-after-free bug when sending responses to incoming
requests as the final reference is then dropped when the message is
returned.
Reported-by: default avatarMichael Scott <michael.scott@linaro.org>
Signed-off-by: default avatarJohan Hovold <johan@hovoldconsulting.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
parent 336dfeab
...@@ -397,16 +397,16 @@ static void cport_out_callback(struct urb *urb) ...@@ -397,16 +397,16 @@ static void cport_out_callback(struct urb *urb)
gb_message_cport_clear(message->header); gb_message_cport_clear(message->header);
spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
message->hcpriv = NULL;
spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
/* /*
* Tell the submitter that the message send (attempt) is * Tell the submitter that the message send (attempt) is
* complete, and report the status. * complete, and report the status.
*/ */
greybus_message_sent(hd, message, status); greybus_message_sent(hd, message, status);
spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
message->hcpriv = NULL;
spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
free_urb(es1, urb); free_urb(es1, urb);
} }
......
...@@ -506,16 +506,16 @@ static void cport_out_callback(struct urb *urb) ...@@ -506,16 +506,16 @@ static void cport_out_callback(struct urb *urb)
gb_message_cport_clear(message->header); gb_message_cport_clear(message->header);
spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
message->hcpriv = NULL;
spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
/* /*
* Tell the submitter that the message send (attempt) is * Tell the submitter that the message send (attempt) is
* complete, and report the status. * complete, and report the status.
*/ */
greybus_message_sent(hd, message, status); greybus_message_sent(hd, message, status);
spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
message->hcpriv = NULL;
spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
free_urb(es1, urb); free_urb(es1, urb);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment