rhashtable: Fix use-after-free in rhashtable_walk_stop

The commit c4db8848af6af92f90462258603be844baeab44d ("rhashtable: Move future_tbl into struct bucket_table") introduced a use-after- free bug in rhashtable_walk_stop because it dereferences tbl after droping the RCU read lock. This patch fixes it by moving the RCU read unlock down to the bottom of rhashtable_walk_stop. In fact this was how I had it originally but it got dropped while rearranging patches because this one depended on the async freeing of bucket_table. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2015-03-15 06:12:04 -0400
committer: David S. Miller <davem@davemloft.net> 2015-03-15 22:22:08 -0400
commit: 963ecbd41a1026d99ec7537c050867428c397b89 (patch)
tree: b1735fd0d424222d31fb72f51d860b51e417dac5 /lib
parent: 0034de4193e4aad30bbbef4e74ca5e0631ba08a7 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/rhashtable.c b/lib/rhashtable.c
index 9d53a46dcca9..b916679b3e3b 100644
--- a/lib/rhashtable.c
+++ b/lib/rhashtable.c
@@ -854,10 +854,8 @@ void rhashtable_walk_stop(struct rhashtable_iter *iter)
        struct rhashtable *ht;
        struct bucket_table *tbl = iter->walker->tbl;
-        rcu_read_unlock();
        if (!tbl)
-                return;
+                goto out;
        ht = iter->ht;
@@ -869,6 +867,9 @@ void rhashtable_walk_stop(struct rhashtable_iter *iter)
        mutex_unlock(&ht->mutex);
        iter->p = NULL;
+out:
+        rcu_read_unlock();
 }
 EXPORT_SYMBOL_GPL(rhashtable_walk_stop);
author	Herbert Xu <herbert@gondor.apana.org.au>	2015-03-15 06:12:04 -0400
committer	David S. Miller <davem@davemloft.net>	2015-03-15 22:22:08 -0400
commit	963ecbd41a1026d99ec7537c050867428c397b89 (patch)
tree	b1735fd0d424222d31fb72f51d860b51e417dac5 /lib
parent	0034de4193e4aad30bbbef4e74ca5e0631ba08a7 (diff)