[PATCH 3.8 33/86] firewire: net: fix use after free

[Kamal Mostafa]

3.8.13.21 -stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefan Richter <stefanr at s5r6.in-berlin.de>

commit 8987583366ae9e03c306c2b7d73bdb952df1d08d upstream.

Commit 8408dc1c14c1 "firewire: net: use dev_printk API" introduced a
use-after-free in a failure path.  fwnet_transmit_packet_failed(ptask)
may free ptask, then the dev_err() call dereferenced it.  The fix is
straightforward; simply reorder the two calls.

Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Stefan Richter <stefanr at s5r6.in-berlin.de>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/firewire/net.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c
index e7a711f5..9079137 100644
--- a/drivers/firewire/net.c
+++ b/drivers/firewire/net.c
@@ -1012,8 +1012,6 @@ static void fwnet_write_complete(struct fw_card *card, int rcode,
 	if (rcode == RCODE_COMPLETE) {
 		fwnet_transmit_packet_done(ptask);
 	} else {
-		fwnet_transmit_packet_failed(ptask);
-
 		if (printk_timed_ratelimit(&j,  1000) || rcode != last_rcode) {
 			dev_err(&ptask->dev->netdev->dev,
 				"fwnet_write_complete failed: %x (skipped %d)\n",
@@ -1021,8 +1019,10 @@ static void fwnet_write_complete(struct fw_card *card, int rcode,
 
 			errors_skipped = 0;
 			last_rcode = rcode;
-		} else
+		} else {
 			errors_skipped++;
+		}
+		fwnet_transmit_packet_failed(ptask);
 	}
 }
 
-- 
1.8.3.2