| From foo@baz Thu 06 Feb 2020 06:56:59 AM GMT |
| From: David Howells <dhowells@redhat.com> |
| Date: Thu, 30 Jan 2020 21:50:35 +0000 |
| Subject: rxrpc: Fix use-after-free in rxrpc_put_local() |
| |
| From: David Howells <dhowells@redhat.com> |
| |
| [ Upstream commit fac20b9e738523fc884ee3ea5be360a321cd8bad ] |
| |
| Fix rxrpc_put_local() to not access local->debug_id after calling |
| atomic_dec_return() as, unless that returned n==0, we no longer have the |
| right to access the object. |
| |
| Fixes: 06d9532fa6b3 ("rxrpc: Fix read-after-free in rxrpc_queue_local()") |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/rxrpc/local_object.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| --- a/net/rxrpc/local_object.c |
| +++ b/net/rxrpc/local_object.c |
| @@ -368,11 +368,14 @@ void rxrpc_queue_local(struct rxrpc_loca |
| void rxrpc_put_local(struct rxrpc_local *local) |
| { |
| const void *here = __builtin_return_address(0); |
| + unsigned int debug_id; |
| int n; |
| |
| if (local) { |
| + debug_id = local->debug_id; |
| + |
| n = atomic_dec_return(&local->usage); |
| - trace_rxrpc_local(local->debug_id, rxrpc_local_put, n, here); |
| + trace_rxrpc_local(debug_id, rxrpc_local_put, n, here); |
| |
| if (n == 0) |
| call_rcu(&local->rcu, rxrpc_local_rcu); |