greybus: operation: fix use-after-free in response receive path Fix potential use-after-free in response receive path, due to lack of reference counting when looking up operations on a connection. Make sure to acquire a reference to the operation while holding the connection-list lock. Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

commit: 0581f28efb86d8eb7e7f6baf712578477f7c868e [log] [tgz]
author: Johan Hovold <johan@hovoldconsulting.com> Thu Jul 09 15:17:59 2015 +0200
committer: Greg Kroah-Hartman <gregkh@google.com> Mon Jul 13 15:29:27 2015 -0700
tree: 302fb689cc9be3be38b02de0e0d25b37ec1bc616
parent: 85109f7ddde4b1842bfb08741a8b461e31ef2c4f [diff] [blame]
diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c
index f8d7df9..8f99c8e 100644
--- a/drivers/staging/greybus/operation.c
+++ b/drivers/staging/greybus/operation.c

@@ -114,6 +114,10 @@
 }
 EXPORT_SYMBOL_GPL(gb_operation_result);
 
+/*
+ * Looks up an operation on a connection and returns a refcounted pointer if
+ * found, or NULL otherwise.
+ */
 static struct gb_operation *
 gb_operation_find(struct gb_connection *connection, u16 operation_id)
 {
@@ -124,6 +128,7 @@
 	spin_lock_irqsave(&gb_operations_lock, flags);
 	list_for_each_entry(operation, &connection->operations, links)
 		if (operation->id == operation_id) {
+			gb_operation_get(operation);
 			found = true;
 			break;
 		}
@@ -795,6 +800,8 @@
 	/* The rest will be handled in work queue context */
 	if (gb_operation_result_set(operation, errno))
 		queue_work(gb_operation_workqueue, &operation->work);
+
+	gb_operation_put(operation);
 }
 
 /*
commit	0581f28efb86d8eb7e7f6baf712578477f7c868e	[log] [tgz]
author	Johan Hovold <johan@hovoldconsulting.com>	Thu Jul 09 15:17:59 2015 +0200
committer	Greg Kroah-Hartman <gregkh@google.com>	Mon Jul 13 15:29:27 2015 -0700
tree	302fb689cc9be3be38b02de0e0d25b37ec1bc616
parent	85109f7ddde4b1842bfb08741a8b461e31ef2c4f [diff] [blame]