From: Johan Hovold <johan@hovoldconsulting.com>
Date: Wed, 18 May 2016 13:47:48 +0000 (+0200)
Subject: greybus: operation: fix broken activation logic
X-Git-Tag: v4.9-rc1~119^2~378^2~21^2~373
X-Git-Url: http://git.cascardo.info/?p=cascardo%2Flinux.git;a=commitdiff_plain;h=ef62adae82524c745640850f62ab0dfe0b580c9f

greybus: operation: fix broken activation logic

An operation should only be added to the connection active list if the
connection is in the enabled state, or if it is in the enabled_tx state
and the operation is not incoming.

This fixes a race where an early or late incoming request could be added
to the active list while the connection is being enabled or disabled,
something which could lead to use-after-free issues or worse.

Note that the early connection-state checks in the receive path
limited the impact of this bug.

Fixes: e903a2ce7379 ("connection: add unidirectional enabled state")
Reported-by: Alex Elder <elder@linaro.org>
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
---

diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c
index 31df413f5901..b7cc59d0a252 100644
--- a/drivers/staging/greybus/operation.c
+++ b/drivers/staging/greybus/operation.c
@@ -48,8 +48,8 @@ static int gb_operation_get_active(struct gb_operation *operation)
 	spin_lock_irqsave(&connection->lock, flags);
 
 	if (connection->state != GB_CONNECTION_STATE_ENABLED &&
-			connection->state != GB_CONNECTION_STATE_ENABLED_TX &&
-			!gb_operation_is_incoming(operation)) {
+			(connection->state != GB_CONNECTION_STATE_ENABLED_TX ||
+			 gb_operation_is_incoming(operation))) {
 		spin_unlock_irqrestore(&connection->lock, flags);
 		return -ENOTCONN;
 	}