summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2007-05-09 13:04:39 +1000
committerHerbert Xu <herbert@gondor.apana.org.au>2007-05-09 13:04:39 +1000
commit1605b8471d64c855bc2493abf3adf6a1ebc3e645 (patch)
tree9196656af011cb1b678b27fc76f47355134f3256
parentf6259deacfd55607ae57cff422d3bc7694ea14e7 (diff)
[CRYPTO] cryptomgr: Fix use after free
By the time kthread_run returns the param may have already been freed so writing the returned thread_struct pointer to param is wrong. In fact, we don't need it in param anyway so this patch simply puts it on the stack. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r--crypto/cryptomgr.c7
1 files changed, 3 insertions, 4 deletions
diff --git a/crypto/cryptomgr.c b/crypto/cryptomgr.c
index 6958ea83ee44..e5fb7cca5107 100644
--- a/crypto/cryptomgr.c
+++ b/crypto/cryptomgr.c
@@ -24,8 +24,6 @@
#include "internal.h"
struct cryptomgr_param {
- struct task_struct *thread;
-
struct rtattr *tb[CRYPTOA_MAX];
struct {
@@ -81,6 +79,7 @@ err:
static int cryptomgr_schedule_probe(struct crypto_larval *larval)
{
+ struct task_struct *thread;
struct cryptomgr_param *param;
const char *name = larval->alg.cra_name;
const char *p;
@@ -130,8 +129,8 @@ static int cryptomgr_schedule_probe(struct crypto_larval *larval)
memcpy(param->larval.name, larval->alg.cra_name, CRYPTO_MAX_ALG_NAME);
- param->thread = kthread_run(cryptomgr_probe, param, "cryptomgr");
- if (IS_ERR(param->thread))
+ thread = kthread_run(cryptomgr_probe, param, "cryptomgr");
+ if (IS_ERR(thread))
goto err_free_param;
return NOTIFY_STOP;