From 73f9d73f124ccba16403971b5101d4a947161481 Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@hovoldconsulting.com>
Date: Wed, 1 Jul 2015 12:37:25 +0200
Subject: [PATCH] greybus: operation: fix cancellation use-after-free

The final reference of an operation will be put after its completion
handler has run, so we must not drop the reference if it has already
been scheduled to avoid use-after-free.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
---
 drivers/staging/greybus/operation.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c
index 3392b425a6c2..7adfa6346288 100644
--- a/drivers/staging/greybus/operation.c
+++ b/drivers/staging/greybus/operation.c
@@ -846,8 +846,8 @@ void gb_operation_cancel(struct gb_operation *operation, int errno)
 		gb_message_cancel(operation->request);
 		if (operation->response)
 			gb_message_cancel(operation->response);
+		gb_operation_put(operation);
 	}
-	gb_operation_put(operation);
 }
 EXPORT_SYMBOL_GPL(gb_operation_cancel);
 
-- 
2.39.5