Commit 10a4c735 authored Mar 16, 2008 by Stefan Richter

firewire: fix panic in handle_at_packet

This fixes a use-after-free bug in the handling of split transactions.
The AT DMA handler of the request was occasionally executed after the
AR DMA handler of the response.  The AT DMA handler then accessed an
already freed packet.

Reported by Johannes Berg.
http://bugzilla.kernel.org/show_bug.cgi?id=9617



Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Tested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Jarod Wilson <jwilson@redhat.com>

parent a978b30a

drivers/firewire/fw-transaction.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -736,6 +736,12 @@ fw_core_handle_response(struct fw_card card, struct fw_packet p)
		break;
		}

		/*
		* The response handler may be executed while the request handler
		* is still pending. Cancel the request handler.
		*/
		card->driver->cancel_packet(card, &t->packet);

		t->callback(card, rcode, data, data_length, t->callback_data);
		}
		EXPORT_SYMBOL(fw_core_handle_response);