This is a note to let you know that I've just added the patch titled net/rds: Avoid potential use after free in rds_send_remove_from_sock to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: net-rds-avoid-potential-use-after-free-in-rds_send_r.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit c04acb504c005d8ac0ae208870b806ee877dbae0 Author: Aditya Pakki <pakki001@xxxxxxx> Date: Tue Apr 6 19:09:12 2021 -0500 net/rds: Avoid potential use after free in rds_send_remove_from_sock [ Upstream commit 0c85a7e87465f2d4cbc768e245f4f45b2f299b05 ] In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource is freed and later under spinlock, causing potential use-after-free. Set the free pointer to NULL to avoid undefined behavior. Signed-off-by: Aditya Pakki <pakki001@xxxxxxx> Acked-by: Santosh Shilimkar <santosh.shilimkar@xxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/net/rds/message.c b/net/rds/message.c index 756c73729126..decf2ee33c23 100644 --- a/net/rds/message.c +++ b/net/rds/message.c @@ -89,6 +89,7 @@ void rds_message_put(struct rds_message *rm) rds_message_purge(rm); kfree(rm); + rm = NULL; } } EXPORT_SYMBOL_GPL(rds_message_put); diff --git a/net/rds/send.c b/net/rds/send.c index 1a3c6acdd3f8..1415a296f7b2 100644 --- a/net/rds/send.c +++ b/net/rds/send.c @@ -668,7 +668,7 @@ static void rds_send_remove_from_sock(struct list_head *messages, int status) unlock_and_drop: spin_unlock_irqrestore(&rm->m_rs_lock, flags); rds_message_put(rm); - if (was_on_sock) + if (was_on_sock && rm) rds_message_put(rm); }