| From b6c1ec5970be9916e9ad29958e0d0e25fc9c6f20 Mon Sep 17 00:00:00 2001 |
| From: David Howells <dhowells@redhat.com> |
| Date: Thu, 30 Jan 2020 21:50:35 +0000 |
| Subject: [PATCH] rxrpc: Fix use-after-free in rxrpc_put_local() |
| |
| commit fac20b9e738523fc884ee3ea5be360a321cd8bad upstream. |
| |
| Fix rxrpc_put_local() to not access local->debug_id after calling |
| atomic_dec_return() as, unless that returned n==0, we no longer have the |
| right to access the object. |
| |
| Fixes: 06d9532fa6b3 ("rxrpc: Fix read-after-free in rxrpc_queue_local()") |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c |
| index 4f0539c8179a..f3e14aa75610 100644 |
| --- a/net/rxrpc/local_object.c |
| +++ b/net/rxrpc/local_object.c |
| @@ -364,11 +364,14 @@ void rxrpc_queue_local(struct rxrpc_local *local) |
| void rxrpc_put_local(struct rxrpc_local *local) |
| { |
| const void *here = __builtin_return_address(0); |
| + unsigned int debug_id; |
| int n; |
| |
| if (local) { |
| + debug_id = local->debug_id; |
| + |
| n = atomic_dec_return(&local->usage); |
| - trace_rxrpc_local(local->debug_id, rxrpc_local_put, n, here); |
| + trace_rxrpc_local(debug_id, rxrpc_local_put, n, here); |
| |
| if (n == 0) |
| call_rcu(&local->rcu, rxrpc_local_rcu); |
| -- |
| 2.7.4 |
| |