| Message ID | 156577967167.1405.3581547705200268244.stgit@warthog.procyon.org.uk |
|---|---|
| Headers | show |
| Series | rxrpc: Fix local endpoint handling | expand |
From: David Howells <dhowells@redhat.com> Date: Wed, 14 Aug 2019 11:47:51 +0100 > Here's a pair of patches that fix two issues in the handling of local > endpoints (rxrpc_local structs): > > (1) Use list_replace_init() rather than list_replace() if we're going to > unconditionally delete the replaced item later, lest the list get > corrupted. > > (2) Don't access the rxrpc_local object after passing our ref to the > workqueue, not even to illuminate tracepoints, as the work function > may cause the object to be freed. We have to cache the information > beforehand. Pulled, thanks David.
Here's a pair of patches that fix two issues in the handling of local endpoints (rxrpc_local structs): (1) Use list_replace_init() rather than list_replace() if we're going to unconditionally delete the replaced item later, lest the list get corrupted. (2) Don't access the rxrpc_local object after passing our ref to the workqueue, not even to illuminate tracepoints, as the work function may cause the object to be freed. We have to cache the information beforehand. The patches are tagged here: git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git rxrpc-fixes-20190814 and can also be found on the following branch: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes David --- David Howells (2): rxrpc: Fix local endpoint replacement rxrpc: Fix read-after-free in rxrpc_queue_local() include/trace/events/rxrpc.h | 6 +++--- net/rxrpc/local_object.c | 21 +++++++++++---------- 2 files changed, 14 insertions(+), 13 deletions(-)