From: Herbert Xu Date: Wed, 9 May 2007 03:04:39 +0000 (+1000) Subject: [CRYPTO] cryptomgr: Fix use after free X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=1605b8471d64c855bc2493abf3adf6a1ebc3e645;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git [CRYPTO] cryptomgr: Fix use after free By the time kthread_run returns the param may have already been freed so writing the returned thread_struct pointer to param is wrong. In fact, we don't need it in param anyway so this patch simply puts it on the stack. Signed-off-by: Herbert Xu --- diff --git a/crypto/cryptomgr.c b/crypto/cryptomgr.c index 6958ea83ee44..e5fb7cca5107 100644 --- a/crypto/cryptomgr.c +++ b/crypto/cryptomgr.c @@ -24,8 +24,6 @@ #include "internal.h" struct cryptomgr_param { - struct task_struct *thread; - struct rtattr *tb[CRYPTOA_MAX]; struct { @@ -81,6 +79,7 @@ err: static int cryptomgr_schedule_probe(struct crypto_larval *larval) { + struct task_struct *thread; struct cryptomgr_param *param; const char *name = larval->alg.cra_name; const char *p; @@ -130,8 +129,8 @@ static int cryptomgr_schedule_probe(struct crypto_larval *larval) memcpy(param->larval.name, larval->alg.cra_name, CRYPTO_MAX_ALG_NAME); - param->thread = kthread_run(cryptomgr_probe, param, "cryptomgr"); - if (IS_ERR(param->thread)) + thread = kthread_run(cryptomgr_probe, param, "cryptomgr"); + if (IS_ERR(thread)) goto err_free_param; return NOTIFY_STOP;