From: Zheng Bin zhengbin13@huawei.com
hulk inclusion category: bugfix bugzilla: 35486 CVE: NA
-----------------------------------------------
If RPC use udp as it's transport protocol, transport->connect_worker will call xs_udp_setup_socket.
xs_setup_udp INIT_DELAYED_WORK(&transport->connect_worker, xs_udp_setup_socket)
xs_connect | | queue_delayed_work| | |xprt_destroy | | wait_on_bit_lock(LOCKED) | | del_timer_sync(del timer) | | xprt_destroy_cb | | xs_destroy | | cancel_delayed_work_sync| | |xs_udp_setup_socket | | xprt_unlock_connect | | test_bit(XPRT_LOCKED(OK) | | xprt_schedule_autodisconnect | | mod_timer(insert timer to list) | xs_xprt_free(free xprt) | | | access timer(use-after-free) Delete xprt->timer to avoid this.
Signed-off-by: Zheng Bin zhengbin13@huawei.com Reviewed-by: YueHaibing yuehaibing@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- net/sunrpc/xprtsock.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 627eb8337f3a..1f8d97084237 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -915,6 +915,7 @@ static void xs_destroy(struct rpc_xprt *xprt) dprintk("RPC: xs_destroy xprt %p\n", xprt);
cancel_delayed_work_sync(&transport->connect_worker); + del_timer_sync(&xprt->timer); xs_close(xprt); cancel_work_sync(&transport->recv_worker); xs_xprt_free(xprt);