diff options
| author | WANG Cong <xiyou.wangcong@gmail.com> | 2016-01-29 14:58:03 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-01-30 01:56:46 -0500 |
| commit | 3d45296ab96c2ec8308226b3350a6d9e48379870 (patch) | |
| tree | 1842eaaeb44e9d2ac1d485833d0d7e3029e3a51a /net | |
| parent | ae9d723e9fbe9fb28213b7df26475791428bf76a (diff) | |
irda: fix a potential use-after-free in ircomm_param_request
self->ctrl_skb is protected by self->spinlock, we should not
access it out of the lock. Move the debugging printk inside.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/irda/ircomm/ircomm_param.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/net/irda/ircomm/ircomm_param.c b/net/irda/ircomm/ircomm_param.c index 3c4caa60c926..5728e76ca6d5 100644 --- a/net/irda/ircomm/ircomm_param.c +++ b/net/irda/ircomm/ircomm_param.c | |||
| @@ -134,11 +134,10 @@ int ircomm_param_request(struct ircomm_tty_cb *self, __u8 pi, int flush) | |||
| 134 | return -1; | 134 | return -1; |
| 135 | } | 135 | } |
| 136 | skb_put(skb, count); | 136 | skb_put(skb, count); |
| 137 | pr_debug("%s(), skb->len=%d\n", __func__, skb->len); | ||
| 137 | 138 | ||
| 138 | spin_unlock_irqrestore(&self->spinlock, flags); | 139 | spin_unlock_irqrestore(&self->spinlock, flags); |
| 139 | 140 | ||
| 140 | pr_debug("%s(), skb->len=%d\n", __func__ , skb->len); | ||
| 141 | |||
| 142 | if (flush) { | 141 | if (flush) { |
| 143 | /* ircomm_tty_do_softint will take care of the rest */ | 142 | /* ircomm_tty_do_softint will take care of the rest */ |
| 144 | schedule_work(&self->tqueue); | 143 | schedule_work(&self->tqueue); |