shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-07 19:30:30 +09:00
Code Issues Packages Projects Releases Wiki Activity

rxrpc: Fix use-after-free in rxrpc_put_local()

Browse Source 
[ Upstream commit fac20b9e73 ]

Fix rxrpc_put_local() to not access local->debug_id after calling
atomic_dec_return() as, unless that returned n==0, we no longer have the
right to access the object.

Fixes: 06d9532fa6 ("rxrpc: Fix read-after-free in rxrpc_queue_local()")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
David Howells
2020-01-30 21:50:35 +00:00
committed by Greg Kroah-Hartman
parent 7e23f798af
commit 85c45a4805
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
net/rxrpc/local_object.c
View File

@@ -368,11 +368,14 @@ void rxrpc_queue_local(struct rxrpc_local *local)
void rxrpc_put_local(struct rxrpc_local *local)
{
const void *here = __builtin_return_address(0);
unsigned int debug_id;
int n;
if (local) {
debug_id = local->debug_id;
n = atomic_dec_return(&local->usage);
trace_rxrpc_local(local->debug_id, rxrpc_local_put, n, here);
trace_rxrpc_local(debug_id, rxrpc_local_put, n, here);
if (n == 0)
call_rcu(&local->rcu, rxrpc_local_rcu);