net/rds: Fix a use after free in rds_message_map_pages

[ Upstream commit bdc2ab5c61a5c07388f4820ff21e787b4dfd1ced ] In rds_message_map_pages, the rm is freed by rds_message_put(rm). But rm is still used by rm->data.op_sg in return value. My patch assigns ERR_CAST(rm->data.op_sg) to err before the rm is freed to avoid the uaf. Fixes: 7dba92037baf3 ("net/rds: Use ERR_PTR for rds_message_alloc_sgs()") Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> Reviewed-by: Håkon Bugge <haakon.bugge@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Lv Yunlong <lyl2019@mail.ustc.edu.cn> 2021-03-30 18:59:59 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-04-14 08:24:15 +0200
commit: c178e8a1993741fc401ee507a5a544f3192256c8 (patch)
tree: 1f74c449939a8a64e6ac82af34487951c677ea65 /net/rds
parent: 73f88cc2bf5c1385bfe20169572fdb4c8a8f12df (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/rds/message.c b/net/rds/message.c
index 2d43e13d6dd5..92b6b22884d4 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -347,8 +347,9 @@ struct rds_message *rds_message_map_pages(unsigned long *page_addrs, unsigned in
 	rm->data.op_nents = DIV_ROUND_UP(total_len, PAGE_SIZE);
 	rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs);
 	if (IS_ERR(rm->data.op_sg)) {
+		void *err = ERR_CAST(rm->data.op_sg);
 		rds_message_put(rm);
-		return ERR_CAST(rm->data.op_sg);
+		return err;
 	}
 
 	for (i = 0; i < rm->data.op_nents; ++i) {
author	Lv Yunlong <lyl2019@mail.ustc.edu.cn>	2021-03-30 18:59:59 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-04-14 08:24:15 +0200
commit	c178e8a1993741fc401ee507a5a544f3192256c8 (patch)
tree	1f74c449939a8a64e6ac82af34487951c677ea65 /net/rds
parent	73f88cc2bf5c1385bfe20169572fdb4c8a8f12df (diff)