There is a use after free scenario while iterating through the nodes radix tree despite the ns being a single threaded process. This can happen when the radix tree APIs are not synchronized with the rcu_read_lock() APIs. Convert the radix tree for nodes to xarray to take advantage of the built in rcu lock usage provided by xarray. Signed-off-by: Chris Lew <quic_clew@xxxxxxxxxxx> Signed-off-by: Vignesh Viswanathan <quic_viswanat@xxxxxxxxxxx> Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx> --- net/qrtr/ns.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c index af28d9e6b53f..b1db0b519179 100644 --- a/net/qrtr/ns.c +++ b/net/qrtr/ns.c @@ -16,7 +16,7 @@ #define CREATE_TRACE_POINTS #include <trace/events/qrtr.h> -static RADIX_TREE(nodes, GFP_KERNEL); +static DEFINE_XARRAY(nodes); static struct { struct socket *sock; @@ -73,7 +73,7 @@ static struct qrtr_node *node_get(unsigned int node_id) { struct qrtr_node *node; - node = radix_tree_lookup(&nodes, node_id); + node = xa_load(&nodes, node_id); if (node) return node; @@ -85,7 +85,7 @@ static struct qrtr_node *node_get(unsigned int node_id) node->id = node_id; xa_init(&node->servers); - if (radix_tree_insert(&nodes, node_id, node)) { + if (xa_store(&nodes, node_id, node, GFP_KERNEL)) { kfree(node); return NULL; } -- 2.41.0