Message ID | 20200713152014.244936-1-idosch@idosch.org |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net-next] devlink: Fix use-after-free when destroying health reporters | expand |
On Mon, 13 Jul 2020 18:20:14 +0300 Ido Schimmel wrote: > From: Ido Schimmel <idosch@mellanox.com> > > Dereferencing the reporter after it was destroyed in order to unlock the > reporters lock results in a use-after-free [1]. > > Fix this by storing a pointer to the lock in a local variable before > destroying the reporter. Reviewed-by: Jakub Kicinski <kuba@kernel.org>
From: Ido Schimmel <idosch@idosch.org> Date: Mon, 13 Jul 2020 18:20:14 +0300 > From: Ido Schimmel <idosch@mellanox.com> > > Dereferencing the reporter after it was destroyed in order to unlock the > reporters lock results in a use-after-free [1]. > > Fix this by storing a pointer to the lock in a local variable before > destroying the reporter. > > [1] ... > Fixes: 3c5584bf0a04 ("devlink: Rework devlink health reporter destructor") > Fixes: 15c724b997a8 ("devlink: Add devlink health port reporters API") > Signed-off-by: Ido Schimmel <idosch@mellanox.com> > Reviewed-by: Moshe Shemesh <moshe@mellanox.com> > Reviewed-by: Jiri Pirko <jiri@mellanox.com> Applied to net-next, thanks.
diff --git a/net/core/devlink.c b/net/core/devlink.c index 20a83aace642..6335e1851088 100644 --- a/net/core/devlink.c +++ b/net/core/devlink.c @@ -5471,9 +5471,11 @@ __devlink_health_reporter_destroy(struct devlink_health_reporter *reporter) void devlink_health_reporter_destroy(struct devlink_health_reporter *reporter) { - mutex_lock(&reporter->devlink->reporters_lock); + struct mutex *lock = &reporter->devlink->reporters_lock; + + mutex_lock(lock); __devlink_health_reporter_destroy(reporter); - mutex_unlock(&reporter->devlink->reporters_lock); + mutex_unlock(lock); } EXPORT_SYMBOL_GPL(devlink_health_reporter_destroy); @@ -5485,9 +5487,11 @@ EXPORT_SYMBOL_GPL(devlink_health_reporter_destroy); void devlink_port_health_reporter_destroy(struct devlink_health_reporter *reporter) { - mutex_lock(&reporter->devlink_port->reporters_lock); + struct mutex *lock = &reporter->devlink_port->reporters_lock; + + mutex_lock(lock); __devlink_health_reporter_destroy(reporter); - mutex_unlock(&reporter->devlink_port->reporters_lock); + mutex_unlock(lock); } EXPORT_SYMBOL_GPL(devlink_port_health_reporter_destroy);