| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200604144910.133756-1-zhengbin13@huawei.com>
Date: Thu, 4 Jun 2020 22:49:10 +0800
From: Zheng Bin <zhengbin13@...wei.com>
To: <bfields@...ldses.org>, <chuck.lever@...cle.com>,
<trond.myklebust@...merspace.com>, <anna.schumaker@...app.com>,
<davem@...emloft.net>, <kuba@...nel.org>,
<linux-nfs@...r.kernel.org>, <netdev@...r.kernel.org>
CC: <yuehaibing@...wei.com>, <weiyongjun1@...wei.com>,
<zhengbin13@...wei.com>
Subject: [PATCH] sunrpc: need delete xprt->timer in xs_destroy
If RPC use udp as it's transport protocol, transport->connect_worker
will call xs_udp_setup_socket.
xs_udp_setup_socket
sock = xs_create_sock
if (IS_ERR(sock))
goto out;
out:
xprt_unlock_connect
xprt_schedule_autodisconnect
mod_timer
internal_add_timer -->insert xprt->timer to base timer list
xs_destroy
cancel_delayed_work_sync(&transport->connect_worker)
xs_xprt_free(xprt) -->free xprt
Thus use-after-free will happen.
Signed-off-by: Zheng Bin <zhengbin13@...wei.com>
---
net/sunrpc/xprtsock.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 845d0be805ec..c796808e7f7a 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -1242,6 +1242,7 @@ static void xs_destroy(struct rpc_xprt *xprt)
dprintk("RPC: xs_destroy xprt %p\n", xprt);
cancel_delayed_work_sync(&transport->connect_worker);
+ del_timer_sync(&xprt->timer);
xs_close(xprt);
cancel_work_sync(&transport->recv_worker);
cancel_work_sync(&transport->error_worker);
--
2.26.0.106.g9fadedd
Powered by blists - more mailing lists