From: Johan Hovold <johan@hovoldconsulting.com>
Date: Wed, 1 Jul 2015 10:37:25 +0000 (+0200)
Subject: greybus: operation: fix cancellation use-after-free
X-Git-Tag: v4.9-rc1~119^2~378^2~21^2~1422
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=73f9d73f124ccba16403971b5101d4a947161481;p=karo-tx-linux.git

greybus: operation: fix cancellation use-after-free

The final reference of an operation will be put after its completion
handler has run, so we must not drop the reference if it has already
been scheduled to avoid use-after-free.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
---

diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c
index 3392b425a6c2..7adfa6346288 100644
--- a/drivers/staging/greybus/operation.c
+++ b/drivers/staging/greybus/operation.c
@@ -846,8 +846,8 @@ void gb_operation_cancel(struct gb_operation *operation, int errno)
 		gb_message_cancel(operation->request);
 		if (operation->response)
 			gb_message_cancel(operation->response);
+		gb_operation_put(operation);
 	}
-	gb_operation_put(operation);
 }
 EXPORT_SYMBOL_GPL(gb_operation_cancel);