Commit 963ecbd4 authored Mar 15, 2015 by Herbert Xu Committed by David S. Miller Mar 15, 2015

rhashtable: Fix use-after-free in rhashtable_walk_stop



The commit c4db8848 ("rhashtable:
Move future_tbl into struct bucket_table") introduced a use-after-
free bug in rhashtable_walk_stop because it dereferences tbl after
droping the RCU read lock.

This patch fixes it by moving the RCU read unlock down to the bottom
of rhashtable_walk_stop.  In fact this was how I had it originally
but it got dropped while rearranging patches because this one
depended on the async freeing of bucket_table.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 0034de41

lib/rhashtable.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -854,10 +854,8 @@ void rhashtable_walk_stop(struct rhashtable_iter *iter)
		struct rhashtable *ht;
		struct bucket_table *tbl = iter->walker->tbl;

		rcu_read_unlock();

		if (!tbl)
		return;
		goto out;

		ht = iter->ht;

		@@ -869,6 +867,9 @@ void rhashtable_walk_stop(struct rhashtable_iter *iter)
		mutex_unlock(&ht->mutex);

		iter->p = NULL;

		out:
		rcu_read_unlock();
		}
		EXPORT_SYMBOL_GPL(rhashtable_walk_stop);