diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-05-09 05:04:39 +0200 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2007-05-09 05:04:39 +0200 |
commit | 1605b8471d64c855bc2493abf3adf6a1ebc3e645 (patch) | |
tree | 9196656af011cb1b678b27fc76f47355134f3256 | |
parent | [CRYPTO] padlock: Remove pointless padlock module (diff) | |
download | linux-1605b8471d64c855bc2493abf3adf6a1ebc3e645.tar.xz linux-1605b8471d64c855bc2493abf3adf6a1ebc3e645.zip |
[CRYPTO] cryptomgr: Fix use after free
By the time kthread_run returns the param may have already been freed
so writing the returned thread_struct pointer to param is wrong.
In fact, we don't need it in param anyway so this patch simply puts it
on the stack.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r-- | crypto/cryptomgr.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/crypto/cryptomgr.c b/crypto/cryptomgr.c index 6958ea83ee44..e5fb7cca5107 100644 --- a/crypto/cryptomgr.c +++ b/crypto/cryptomgr.c @@ -24,8 +24,6 @@ #include "internal.h" struct cryptomgr_param { - struct task_struct *thread; - struct rtattr *tb[CRYPTOA_MAX]; struct { @@ -81,6 +79,7 @@ err: static int cryptomgr_schedule_probe(struct crypto_larval *larval) { + struct task_struct *thread; struct cryptomgr_param *param; const char *name = larval->alg.cra_name; const char *p; @@ -130,8 +129,8 @@ static int cryptomgr_schedule_probe(struct crypto_larval *larval) memcpy(param->larval.name, larval->alg.cra_name, CRYPTO_MAX_ALG_NAME); - param->thread = kthread_run(cryptomgr_probe, param, "cryptomgr"); - if (IS_ERR(param->thread)) + thread = kthread_run(cryptomgr_probe, param, "cryptomgr"); + if (IS_ERR(thread)) goto err_free_param; return NOTIFY_STOP; |