firewire: fix panic in handle_at_packet
authorStefan Richter <stefanr@s5r6.in-berlin.de>
Sat, 15 Mar 2008 23:56:41 +0000 (00:56 +0100)
committerStefan Richter <stefanr@s5r6.in-berlin.de>
Thu, 20 Mar 2008 17:13:05 +0000 (18:13 +0100)
commit10a4c735515a5afc317abe4d697a4c95f6d9d764
tree12ccd93d3747f55c5efeeb51a042a5d4829eb3d7
parenta978b30af3bab0dd9af9350eeda25e76123fa28e
firewire: fix panic in handle_at_packet

This fixes a use-after-free bug in the handling of split transactions.
The AT DMA handler of the request was occasionally executed after the
AR DMA handler of the response.  The AT DMA handler then accessed an
already freed packet.

Reported by Johannes Berg.
http://bugzilla.kernel.org/show_bug.cgi?id=9617

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Tested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Jarod Wilson <jwilson@redhat.com>
drivers/firewire/fw-transaction.c