Merge tag 'for-linus-5.13b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull xen fix from Juergen Gross:
"A single patch fixing a Xen related security bug: a malicious guest
might be able to trigger a 'use after free' issue in the xen-netback
driver"

* tag 'for-linus-5.13b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
xen-netback: take a reference to the RX task thread

Linus Torvalds 4 years ago 368094df 374aeb91

1 changed file

expand all

drivers

net

xen-netback

interface.c

drivers/net/xen-netback/interface.c

··· 684 684 { 685 685 if (queue->task) { 686 686 kthread_stop(queue->task); 687 + put_task_struct(queue->task); 687 688 queue->task = NULL; 688 689 } 689 690 ··· 746 745 if (IS_ERR(task)) 747 746 goto kthread_err; 748 747 queue->task = task; 748 + /* 749 + * Take a reference to the task in order to prevent it from being freed 750 + * if the thread function returns before kthread_stop is called. 751 + */ 752 + get_task_struct(task); 749 753 750 754 task = kthread_run(xenvif_dealloc_kthread, queue, 751 755 "%s-dealloc", queue->name);