aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorStefan Richter <stefanr@s5r6.in-berlin.de>2008-03-15 19:56:41 -0400
committerStefan Richter <stefanr@s5r6.in-berlin.de>2008-03-20 13:13:05 -0400
commit10a4c735515a5afc317abe4d697a4c95f6d9d764 (patch)
tree12ccd93d3747f55c5efeeb51a042a5d4829eb3d7 /drivers
parenta978b30af3bab0dd9af9350eeda25e76123fa28e (diff)
firewire: fix panic in handle_at_packet
This fixes a use-after-free bug in the handling of split transactions. The AT DMA handler of the request was occasionally executed after the AR DMA handler of the response. The AT DMA handler then accessed an already freed packet. Reported by Johannes Berg. http://bugzilla.kernel.org/show_bug.cgi?id=9617 Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Tested-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Jarod Wilson <jwilson@redhat.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/firewire/fw-transaction.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/firewire/fw-transaction.c b/drivers/firewire/fw-transaction.c
index 99529e59a0b1..e6f1bda38940 100644
--- a/drivers/firewire/fw-transaction.c
+++ b/drivers/firewire/fw-transaction.c
@@ -736,6 +736,12 @@ fw_core_handle_response(struct fw_card *card, struct fw_packet *p)
736 break; 736 break;
737 } 737 }
738 738
739 /*
740 * The response handler may be executed while the request handler
741 * is still pending. Cancel the request handler.
742 */
743 card->driver->cancel_packet(card, &t->packet);
744
739 t->callback(card, rcode, data, data_length, t->callback_data); 745 t->callback(card, rcode, data, data_length, t->callback_data);
740} 746}
741EXPORT_SYMBOL(fw_core_handle_response); 747EXPORT_SYMBOL(fw_core_handle_response);