Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 1605b8471d64c855bc2493abf3adf6a1ebc3e645

Authored by Herbert Xu
1 parent f6259deacf
Exists in master and in 7 other branches imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-l5.0.0_1.0.0-ga

[CRYPTO] cryptomgr: Fix use after free 

By the time kthread_run returns the param may have already been freed
so writing the returned thread_struct pointer to param is wrong.

In fact, we don't need it in param anyway so this patch simply puts it
on the stack.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Showing 1 changed file with 3 additions and 4 deletions Side-by-side Diff

... ... @@ -24,8 +24,6 @@
24 24 #include "internal.h"
25 25  
26 26 struct cryptomgr_param {
27   - struct task_struct *thread;
28   -
29 27 struct rtattr *tb[CRYPTOA_MAX];
30 28  
31 29 struct {
... ... @@ -81,6 +79,7 @@
81 79  
82 80 static int cryptomgr_schedule_probe(struct crypto_larval *larval)
83 81 {
  82 + struct task_struct *thread;
84 83 struct cryptomgr_param *param;
85 84 const char *name = larval->alg.cra_name;
86 85 const char *p;
... ... @@ -130,8 +129,8 @@
130 129  
131 130 memcpy(param->larval.name, larval->alg.cra_name, CRYPTO_MAX_ALG_NAME);
132 131  
133   - param->thread = kthread_run(cryptomgr_probe, param, "cryptomgr");
134   - if (IS_ERR(param->thread))
  132 + thread = kthread_run(cryptomgr_probe, param, "cryptomgr");
  133 + if (IS_ERR(thread))
135 134 goto err_free_param;
136 135  
137 136 return NOTIFY_STOP;