Skip to content

Commit 368094d

Browse files
committed
Merge tag 'for-linus-5.13b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
Pull xen fix from Juergen Gross: "A single patch fixing a Xen related security bug: a malicious guest might be able to trigger a 'use after free' issue in the xen-netback driver" * tag 'for-linus-5.13b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen-netback: take a reference to the RX task thread
2 parents 374aeb9 + 107866a commit 368094d

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

drivers/net/xen-netback/interface.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -684,6 +684,7 @@ static void xenvif_disconnect_queue(struct xenvif_queue *queue)
684684
{
685685
if (queue->task) {
686686
kthread_stop(queue->task);
687+
put_task_struct(queue->task);
687688
queue->task = NULL;
688689
}
689690

@@ -745,6 +746,11 @@ int xenvif_connect_data(struct xenvif_queue *queue,
745746
if (IS_ERR(task))
746747
goto kthread_err;
747748
queue->task = task;
749+
/*
750+
* Take a reference to the task in order to prevent it from being freed
751+
* if the thread function returns before kthread_stop is called.
752+
*/
753+
get_task_struct(task);
748754

749755
task = kthread_run(xenvif_dealloc_kthread, queue,
750756
"%s-dealloc", queue->name);

0 commit comments

Comments
 (0)