From: Johan Hovold Date: Tue, 14 Jul 2015 13:43:32 +0000 (+0200) Subject: greybus: connection: fix protocol tear-down race X-Git-Tag: v4.9-rc1~119^2~378^2~21^2~1374 X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=7f1b67cd535673cef9b9c9fa772d04015f64bd8e;p=karo-tx-linux.git greybus: connection: fix protocol tear-down race Make sure to cancel all active operations before calling protocol connection_exit to prevent use-after-free issues when the protocol state is being deallocated (e.g. late processing of already-queued requests or completions). Note that already-queued requests or completions will be processed as part of cancellation. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/greybus/connection.c b/drivers/staging/greybus/connection.c index 2d19082a7f35..ac9b2d174805 100644 --- a/drivers/staging/greybus/connection.c +++ b/drivers/staging/greybus/connection.c @@ -232,9 +232,6 @@ static void gb_connection_cancel_operations(struct gb_connection *connection, struct gb_operation *operation; spin_lock_irq(&connection->lock); - - WARN_ON(!list_empty(&connection->operations)); - while (!list_empty(&connection->operations)) { operation = list_last_entry(&connection->operations, struct gb_operation, links); @@ -259,8 +256,6 @@ void gb_connection_destroy(struct gb_connection *connection) if (WARN_ON(!connection)) return; - gb_connection_cancel_operations(connection, -ESHUTDOWN); - spin_lock_irq(&gb_connections_lock); list_del(&connection->bundle_links); list_del(&connection->hd_links); @@ -334,6 +329,8 @@ void gb_connection_exit(struct gb_connection *connection) connection->state = GB_CONNECTION_STATE_DESTROYING; spin_unlock_irq(&connection->lock); + gb_connection_cancel_operations(connection, -ESHUTDOWN); + connection->protocol->connection_exit(connection); /*