diff options
author | Trond Myklebust <trond.myklebust@hammerspace.com> | 2019-05-29 12:49:52 -0400 |
---|---|---|
committer | Anna Schumaker <Anna.Schumaker@Netapp.com> | 2019-05-30 15:29:41 -0400 |
commit | 7987b694ade8cc465ce10fb3dceaa614f13ceaf3 (patch) | |
tree | 5c71e423c301bd079f8bcf7f298ffd6688600d1d /net/tipc/monitor.h | |
parent | ec6017d9035986a36de064f48a63245930bfad6f (diff) | |
download | linux-7987b694ade8cc465ce10fb3dceaa614f13ceaf3.tar.bz2 |
SUNRPC: Fix a use after free when a server rejects the RPCSEC_GSS credential
The addition of rpc_check_timeout() to call_decode causes an Oops
when the RPCSEC_GSS credential is rejected.
The reason is that rpc_decode_header() will call xprt_release() in
order to free task->tk_rqstp, which is needed by rpc_check_timeout()
to check whether or not we should exit due to a soft timeout.
The fix is to move the call to xprt_release() into call_decode() so
we can perform it after rpc_check_timeout().
Reported-by: Olga Kornievskaia <olga.kornievskaia@gmail.com>
Reported-by: Nick Bowler <nbowler@draconx.ca>
Fixes: cea57789e408 ("SUNRPC: Clean up")
Cc: stable@vger.kernel.org # v5.1+
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Diffstat (limited to 'net/tipc/monitor.h')
0 files changed, 0 insertions, 0 deletions