mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-09 15:29:16 +00:00
rhashtable: Fix use-after-free in rhashtable_walk_stop
The commit c4db8848af6af92f90462258603be844baeab44d ("rhashtable: Move future_tbl into struct bucket_table") introduced a use-after- free bug in rhashtable_walk_stop because it dereferences tbl after droping the RCU read lock. This patch fixes it by moving the RCU read unlock down to the bottom of rhashtable_walk_stop. In fact this was how I had it originally but it got dropped while rearranging patches because this one depended on the async freeing of bucket_table. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
0034de4193
commit
963ecbd41a
@ -854,10 +854,8 @@ void rhashtable_walk_stop(struct rhashtable_iter *iter)
|
||||
struct rhashtable *ht;
|
||||
struct bucket_table *tbl = iter->walker->tbl;
|
||||
|
||||
rcu_read_unlock();
|
||||
|
||||
if (!tbl)
|
||||
return;
|
||||
goto out;
|
||||
|
||||
ht = iter->ht;
|
||||
|
||||
@ -869,6 +867,9 @@ void rhashtable_walk_stop(struct rhashtable_iter *iter)
|
||||
mutex_unlock(&ht->mutex);
|
||||
|
||||
iter->p = NULL;
|
||||
|
||||
out:
|
||||
rcu_read_unlock();
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(rhashtable_walk_stop);
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user