diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-05-09 13:04:39 +1000 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2007-05-09 13:04:39 +1000 |
commit | e034cb4c740bde77f3f2355f3ba3059b0f62a102 (patch) | |
tree | 8ed017195b4c7c50799115bca69f358c0acbeb59 /crypto/cryptomgr.c | |
parent | 8967d2553b73f60326a77a2fd996d1f74b58b2c1 (diff) | |
download | linux-crypto-e034cb4c740bde77f3f2355f3ba3059b0f62a102.tar.gz linux-crypto-e034cb4c740bde77f3f2355f3ba3059b0f62a102.zip |
[CRYPTO] cryptomgr: Fix use after free
By the time kthread_run returns the param may have already been freed
so writing the returned thread_struct pointer to param is wrong.
In fact, we don't need it in param anyway so this patch simply puts it
on the stack.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to '')
-rw-r--r-- | crypto/cryptomgr.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/crypto/cryptomgr.c b/crypto/cryptomgr.c index 6958ea83..e5fb7cca 100644 --- a/crypto/cryptomgr.c +++ b/crypto/cryptomgr.c @@ -24,8 +24,6 @@ #include "internal.h" struct cryptomgr_param { - struct task_struct *thread; - struct rtattr *tb[CRYPTOA_MAX]; struct { @@ -81,6 +79,7 @@ err: static int cryptomgr_schedule_probe(struct crypto_larval *larval) { + struct task_struct *thread; struct cryptomgr_param *param; const char *name = larval->alg.cra_name; const char *p; @@ -130,8 +129,8 @@ static int cryptomgr_schedule_probe(struct crypto_larval *larval) memcpy(param->larval.name, larval->alg.cra_name, CRYPTO_MAX_ALG_NAME); - param->thread = kthread_run(cryptomgr_probe, param, "cryptomgr"); - if (IS_ERR(param->thread)) + thread = kthread_run(cryptomgr_probe, param, "cryptomgr"); + if (IS_ERR(thread)) goto err_free_param; return NOTIFY_STOP; |