diff options
author | WANG Cong <xiyou.wangcong@gmail.com> | 2016-01-29 11:58:03 -0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2016-01-29 22:56:46 -0800 |
commit | 3d45296ab96c2ec8308226b3350a6d9e48379870 (patch) | |
tree | 1842eaaeb44e9d2ac1d485833d0d7e3029e3a51a | |
parent | ae9d723e9fbe9fb28213b7df26475791428bf76a (diff) | |
download | op-kernel-dev-3d45296ab96c2ec8308226b3350a6d9e48379870.zip op-kernel-dev-3d45296ab96c2ec8308226b3350a6d9e48379870.tar.gz |
irda: fix a potential use-after-free in ircomm_param_request
self->ctrl_skb is protected by self->spinlock, we should not
access it out of the lock. Move the debugging printk inside.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/irda/ircomm/ircomm_param.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/net/irda/ircomm/ircomm_param.c b/net/irda/ircomm/ircomm_param.c index 3c4caa6..5728e76 100644 --- a/net/irda/ircomm/ircomm_param.c +++ b/net/irda/ircomm/ircomm_param.c @@ -134,11 +134,10 @@ int ircomm_param_request(struct ircomm_tty_cb *self, __u8 pi, int flush) return -1; } skb_put(skb, count); + pr_debug("%s(), skb->len=%d\n", __func__, skb->len); spin_unlock_irqrestore(&self->spinlock, flags); - pr_debug("%s(), skb->len=%d\n", __func__ , skb->len); - if (flush) { /* ircomm_tty_do_softint will take care of the rest */ schedule_work(&self->tqueue); |