KASAN: use-after-free Read in rxrpc_send_data_packet
David Howells
dhowells at redhat.com
Mon Feb 1 05:12:36 EST 2021
Hillf Danton <hdanton at sina.com> wrote:
> --- a/net/rxrpc/call_object.c
> +++ b/net/rxrpc/call_object.c
> @@ -549,6 +549,7 @@ void rxrpc_release_call(struct rxrpc_soc
> if (call->security)
> call->security->free_call_crypto(call);
>
> + cancel_work_sync(&call->processor);
> rxrpc_cleanup_ring(call);
> _leave("");
> }
It's probably better to do the cancellation before we call
->free_call_crypto().
Two other alternatives would be to lock in rxrpc_cleanup_ring() or just remove
that call of rxrpc_cleanup_ring() and leave it to rxrpc_cleanup_call() (which
calls it anyway). The latter might be the best option as the work function
holds a ref on the call.
Clearing the ring in rxrpc_release_call() is more of an optimisation, meant to
recycle skbuffs sooner, but I would hope that the call would be destroyed
quickly after this point anyway.
David
More information about the linux-afs
mailing list