greybus: operation: fix use-after-free and infinite loop on unhandled requests

Make sure to return a proper response in case we get a request we do not
recognise.

This fixes an infinite loop and use-after-free bug, where the freed
operations structure would get re-added to the work queue indefinitely.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>

drivers/staging/greybus/operation.c

@@ -208,14 +208,11 @@ static void gb_message_cancel(struct gb_message *message)
 static void gb_operation_request_handle(struct gb_operation *operation)
 {
 	struct gb_protocol *protocol = operation->connection->protocol;
+	int ret;
 
 	if (!protocol)
 		return;
 
-	/*
-	 * If the protocol has no incoming request handler, report
-	 * an error and mark the request bad.
-	 */
 	if (protocol->request_recv) {
 		protocol->request_recv(operation->type, operation);
 		return;
@@ -223,10 +220,14 @@ static void gb_operation_request_handle(struct gb_operation *operation)
 
 	dev_err(&operation->connection->dev,
 		"unexpected incoming request type 0x%02hhx\n", operation->type);
-	if (gb_operation_result_set(operation, -EPROTONOSUPPORT))
+
-		queue_work(gb_operation_workqueue, &operation->work);
+	ret = gb_operation_response_send(operation, -EPROTONOSUPPORT);
-	else
+	if (ret) {
-		WARN(true, "failed to mark request bad\n");
+		dev_err(&operation->connection->dev,
+			"failed to send response %d: %d\n",
+			-EPROTONOSUPPORT, ret);
+			return;
+	}
 }
 
 /*