Commit 5c5f1d16 authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] svcsock use-after-free fix

From: Neil Brown <neilb@cse.unsw.edu.au>

Extract ->stamp from skb *before* freeing it in svcsock.c

As we sometime copy and free an skb, and sometime us it in-place, we must
be careful to extract information from it *before* it might be freed, not
after.

Manfred's page-unmapping debug patch found this one.
parent 747ec9b0
...@@ -589,6 +589,8 @@ svc_udp_recvfrom(struct svc_rqst *rqstp) ...@@ -589,6 +589,8 @@ svc_udp_recvfrom(struct svc_rqst *rqstp)
rqstp->rq_addr.sin_port = skb->h.uh->source; rqstp->rq_addr.sin_port = skb->h.uh->source;
rqstp->rq_addr.sin_addr.s_addr = skb->nh.iph->saddr; rqstp->rq_addr.sin_addr.s_addr = skb->nh.iph->saddr;
svsk->sk_sk->stamp = skb->stamp;
if (skb_is_nonlinear(skb)) { if (skb_is_nonlinear(skb)) {
/* we have to copy */ /* we have to copy */
local_bh_disable(); local_bh_disable();
...@@ -629,7 +631,6 @@ svc_udp_recvfrom(struct svc_rqst *rqstp) ...@@ -629,7 +631,6 @@ svc_udp_recvfrom(struct svc_rqst *rqstp)
serv->sv_stats->netudpcnt++; serv->sv_stats->netudpcnt++;
/* One down, maybe more to go... */ /* One down, maybe more to go... */
svsk->sk_sk->stamp = skb->stamp;
svc_sock_received(svsk); svc_sock_received(svsk);
return len; return len;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment