Commit 368094df authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'for-linus-5.13b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fix from Juergen Gross:
 "A single patch fixing a Xen related security bug: a malicious guest
  might be able to trigger a 'use after free' issue in the xen-netback
  driver"

* tag 'for-linus-5.13b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen-netback: take a reference to the RX task thread
parents 374aeb91 107866a8
...@@ -684,6 +684,7 @@ static void xenvif_disconnect_queue(struct xenvif_queue *queue) ...@@ -684,6 +684,7 @@ static void xenvif_disconnect_queue(struct xenvif_queue *queue)
{ {
if (queue->task) { if (queue->task) {
kthread_stop(queue->task); kthread_stop(queue->task);
put_task_struct(queue->task);
queue->task = NULL; queue->task = NULL;
} }
...@@ -745,6 +746,11 @@ int xenvif_connect_data(struct xenvif_queue *queue, ...@@ -745,6 +746,11 @@ int xenvif_connect_data(struct xenvif_queue *queue,
if (IS_ERR(task)) if (IS_ERR(task))
goto kthread_err; goto kthread_err;
queue->task = task; queue->task = task;
/*
* Take a reference to the task in order to prevent it from being freed
* if the thread function returns before kthread_stop is called.
*/
get_task_struct(task);
task = kthread_run(xenvif_dealloc_kthread, queue, task = kthread_run(xenvif_dealloc_kthread, queue,
"%s-dealloc", queue->name); "%s-dealloc", queue->name);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment