This is a note to let you know that I've just added the patch titled
net/rds: Avoid potential use after free in rds_send_remove_from_sock
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
net-rds-avoid-potential-use-after-free-in-rds_send_r.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit c04acb504c005d8ac0ae208870b806ee877dbae0
Author: Aditya Pakki <pakki001@xxxxxxx>
Date: Tue Apr 6 19:09:12 2021 -0500
net/rds: Avoid potential use after free in rds_send_remove_from_sock
[ Upstream commit 0c85a7e87465f2d4cbc768e245f4f45b2f299b05 ]
In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource
is freed and later under spinlock, causing potential use-after-free.
Set the free pointer to NULL to avoid undefined behavior.
Signed-off-by: Aditya Pakki <pakki001@xxxxxxx>
Acked-by: Santosh Shilimkar <santosh.shilimkar@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/rds/message.c b/net/rds/message.c
index 756c73729126..decf2ee33c23 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -89,6 +89,7 @@ void rds_message_put(struct rds_message *rm)
rds_message_purge(rm);
kfree(rm);
+ rm = NULL;
}
}
EXPORT_SYMBOL_GPL(rds_message_put);
diff --git a/net/rds/send.c b/net/rds/send.c
index 1a3c6acdd3f8..1415a296f7b2 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -668,7 +668,7 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status)
unlock_and_drop:
spin_unlock_irqrestore(&rm->m_rs_lock, flags);
rds_message_put(rm);
- if (was_on_sock)
+ if (was_on_sock && rm)
rds_message_put(rm);
}
