greybus: operation: fix cancellation use-after-free

The final reference of an operation will be put after its completion
handler has run, so we must not drop the reference if it has already
been scheduled to avoid use-after-free.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

diff --git a/drivers/staging/greybus/operation.c b/drivers/staging/greybus/operation.c
index 3392b42..7adfa63 100644 (file)
--- a/drivers/staging/greybus/operation.c
+++ b/drivers/staging/greybus/operation.c
@@ -846,8 +846,8 @@ void gb_operation_cancel(struct gb_operation *operation, int errno)
                gb_message_cancel(operation->request);
                if (operation->response)
                        gb_message_cancel(operation->response);
+               gb_operation_put(operation);
        }
-       gb_operation_put(operation);
 }
 EXPORT_SYMBOL_GPL(gb_operation_cancel);