firewire: fix panic in handle_at_packet

This fixes a use-after-free bug in the handling of split transactions. The AT DMA handler of the request was occasionally executed after the AR DMA handler of the response. The AT DMA handler then accessed an already freed packet. Reported by Johannes Berg. http://bugzilla.kernel.org/show_bug.cgi?id=9617Signed-off-by: N Stefan Richter <stefanr@s5r6.in-berlin.de> Tested-by: N Johannes Berg <johannes@sipsolutions.net> Signed-off-by: N Jarod Wilson <jwilson@redhat.com>

firewire: fix panic in handle_at_packet
This fixes a use-after-free bug in the handling of split transactions. The AT DMA handler of the request was occasionally executed after the AR DMA handler of the response. The AT DMA handler then accessed an already freed packet. Reported by Johannes Berg. http://bugzilla.kernel.org/show_bug.cgi?id=9617Signed-off-by: N Stefan Richter <stefanr@s5r6.in-berlin.de> Tested-by: N Johannes Berg <johannes@sipsolutions.net> Signed-off-by: N Jarod Wilson <jwilson@redhat.com>
10a4c735 · Stefan Richter · a978b30a · 10a4c735
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

drivers/firewire/fw-transaction.c drivers/firewire/fw-transaction.c +6 -0

未找到文件。
--- a/drivers/firewire/fw-transaction.c
+++ b/drivers/firewire/fw-transaction.c
@@ -736,6 +736,12 @@ fw_core_handle_response(struct fw_card *card, struct fw_packet *p)
 		break;
 	}

+	/*
+	 * The response handler may be executed while the request handler
+	 * is still pending.  Cancel the request handler.
+	 */
+	card->driver->cancel_packet(card, &t->packet);
+
 	t->callback(card, rcode, data, data_length, t->callback_data);
 }
 EXPORT_SYMBOL(fw_core_handle_response);