greybus: es1/2: fix use-after-free in completion callback
Reset the hcpriv field before returning the message to greybus core in
the OUT-URB completion callback.
This fixes a use-after-free bug when sending responses to incoming
requests as the final reference is then dropped when the message is
returned.
Reported-by: Michael Scott <michael.scott@linaro.org>
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
diff --git a/drivers/staging/greybus/es1.c b/drivers/staging/greybus/es1.c
index f2853ff..2c56aaf 100644
--- a/drivers/staging/greybus/es1.c
+++ b/drivers/staging/greybus/es1.c
@@ -397,16 +397,16 @@
gb_message_cport_clear(message->header);
+ spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
+ message->hcpriv = NULL;
+ spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
+
/*
* Tell the submitter that the message send (attempt) is
* complete, and report the status.
*/
greybus_message_sent(hd, message, status);
- spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
- message->hcpriv = NULL;
- spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
-
free_urb(es1, urb);
}
diff --git a/drivers/staging/greybus/es2.c b/drivers/staging/greybus/es2.c
index 8fee116..22b67d2 100644
--- a/drivers/staging/greybus/es2.c
+++ b/drivers/staging/greybus/es2.c
@@ -506,16 +506,16 @@
gb_message_cport_clear(message->header);
+ spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
+ message->hcpriv = NULL;
+ spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
+
/*
* Tell the submitter that the message send (attempt) is
* complete, and report the status.
*/
greybus_message_sent(hd, message, status);
- spin_lock_irqsave(&es1->cport_out_urb_lock, flags);
- message->hcpriv = NULL;
- spin_unlock_irqrestore(&es1->cport_out_urb_lock, flags);
-
free_urb(es1, urb);
}