| Message ID | 20210311084616.12356-1-lyl2019@mail.ustc.edu.cn |
|---|---|
| State | New |
| Headers | show |
| Series | net/rds: Fix a use after free in rds_message_map_pages | expand |
Just as a reminder, there has been no reply to this message for more than a week. Could someone help to fix this issue? > -----原始邮件----- > 发件人: "Lv Yunlong" <lyl2019@mail.ustc.edu.cn> > 发送时间: 2021-03-11 16:46:16 (星期四) > 收件人: santosh.shilimkar@oracle.com, davem@davemloft.net, kuba@kernel.org > 抄送: netdev@vger.kernel.org, linux-rdma@vger.kernel.org, rds-devel@oss.oracle.com, linux-kernel@vger.kernel.org, "Lv Yunlong" <lyl2019@mail.ustc.edu.cn> > 主题: [PATCH] net/rds: Fix a use after free in rds_message_map_pages > > In rds_message_map_pages, rds_message_put() will free rm. > Maybe store the value of rm->data.op_sg ahead of rds_message_put() > is better. Otherwise other threads could allocate the freed chunk > and may change the value of rm->data.op_sg. > > Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> > --- > net/rds/message.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/rds/message.c b/net/rds/message.c > index 071a261fdaab..392e3a2f41a0 100644 > --- a/net/rds/message.c > +++ b/net/rds/message.c > @@ -347,8 +347,9 @@ struct rds_message *rds_message_map_pages(unsigned long *page_addrs, unsigned in > rm->data.op_nents = DIV_ROUND_UP(total_len, PAGE_SIZE); > rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs); > if (IS_ERR(rm->data.op_sg)) { > + struct scatterlist *tmp = rm->data.op_sg; > rds_message_put(rm); > - return ERR_CAST(rm->data.op_sg); > + return ERR_CAST(tmp); > } > > for (i = 0; i < rm->data.op_nents; ++i) { > -- > 2.25.1 >
diff --git a/net/rds/message.c b/net/rds/message.c index 071a261fdaab..392e3a2f41a0 100644 --- a/net/rds/message.c +++ b/net/rds/message.c @@ -347,8 +347,9 @@ struct rds_message *rds_message_map_pages(unsigned long *page_addrs, unsigned in rm->data.op_nents = DIV_ROUND_UP(total_len, PAGE_SIZE); rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs); if (IS_ERR(rm->data.op_sg)) { + struct scatterlist *tmp = rm->data.op_sg; rds_message_put(rm); - return ERR_CAST(rm->data.op_sg); + return ERR_CAST(tmp); } for (i = 0; i < rm->data.op_nents; ++i) {
In rds_message_map_pages, rds_message_put() will free rm. Maybe store the value of rm->data.op_sg ahead of rds_message_put() is better. Otherwise other threads could allocate the freed chunk and may change the value of rm->data.op_sg. Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> --- net/rds/message.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)