From c231c5a47a0c697e7bc821af0b5cb28d129fe8e0 Mon Sep 17 00:00:00 2001
From: Alexander Aring <aar@pengutronix.de>
Date: Fri, 19 Feb 2016 09:59:12 +0100
Subject: [PATCH] at86rf230: fix race on error handling

The resource "ctx" can be still used by at86rf230_async_state_change, we
need to free it at the complete handler of the async state change to
avoid a use after free.

Signed-off-by: Alexander Aring <aar@pengutronix.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---
 drivers/net/ieee802154/at86rf230.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c
index 0fbbba7a0cae..bf3cfe44b84f 100644
--- a/drivers/net/ieee802154/at86rf230.c
+++ b/drivers/net/ieee802154/at86rf230.c
@@ -342,6 +342,18 @@ static const struct regmap_config at86rf230_regmap_spi_config = {
 	.precious_reg = at86rf230_reg_precious,
 };
 
+static void
+at86rf230_async_error_recover_complete(void *context)
+{
+	struct at86rf230_state_change *ctx = context;
+	struct at86rf230_local *lp = ctx->lp;
+
+	if (ctx->free)
+		kfree(ctx);
+
+	ieee802154_wake_queue(lp->hw);
+}
+
 static void
 at86rf230_async_error_recover(void *context)
 {
@@ -349,10 +361,8 @@ at86rf230_async_error_recover(void *context)
 	struct at86rf230_local *lp = ctx->lp;
 
 	lp->is_tx = 0;
-	at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON, NULL);
-	ieee802154_wake_queue(lp->hw);
-	if (ctx->free)
-		kfree(ctx);
+	at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON,
+				     at86rf230_async_error_recover_complete);
 }
 
 static inline void